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Abstract 


In some applications of public kej cryptography it is desirable and perhaps 
OA en nccessaiy that key size be as small as possible Moreover the crj ptosystem just 
needs to be secure enough so that breaking it is not computationally feasible Most of 
the known public key cryptosystems are totalh insecure if the key size is restricted to 
about 100 150 bits Recently Lenstra demonstrated the feasibility to factorize a 450 
bit composite integer and La Macchia and Odlyzko computed logarithms in the field 
over 192 bit prime while Gordon and McCurley were able to compute logarithms in 
^2401 These results justify the unsuitability of RSA and ElGamal schemes for the 
applications requiring smaller key sizes A suitable candidate for such applications 
that remains is an elliptic cur\e cryptosystem that provide equivalent security as 
RSA and other systems but with a much smaller key length The purpose of this 
thesis IS to provide a practical implementation of these systems 

With the increasing demand of smart card based applications, efficient soft 
vare implementation of elliptic curve cryptosystems poses a challenge for the crjp 
tographers and software professionals In this thesis, we have made an attempt to 
implement them on Pentium and as well as on TMS320C40 digital signal processor 
using optimizing C cross compiler The algorithm we adopted is the elliptic curve 
based ELGamal scheme over Galois field GF{2^) To obtain minimal complexity m 
computations, we used optimal normal bases for field arithmetic 
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Chapter 1 


Introduction 


Data security is an important issue in this present age of computer net’i\orking 
\\here several types of network attacks, electronic frauds, network hacking are oh 
vious things to happen With the rapidly growing world of communication through 
computers over an publicly available and highly insecure open medium of Internet, 
there is a heightened demand of the need to protect data during its storage as well 
as during its transmission from any type of possible attack So computer security 
and network internetwork security are the two fundamental requirements in the field 
of information technology where data protection is a crucial issue Now, how this 
data security is achieved Here an art of secret writing comes into picture, known 
as cryptography 

1 1 Cryptography 

The word cryptography contains two Greek words, Kryptos, and Graphien The first 
word means hidden and the second means to write In this way, the art of writing 
the messages in such a way that they hide their originality is the cryptography 
But in the world of computer communication and information technology, this art 
becomes a technology for sending secret information over insecure communication 
channels such that only intended recipient can read the message 

The field of cryptography is thousands of years old Earlier, the scope 
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of this field was considered to be limited to military and diplomatic communities 
Today, as communication net'works are being extensnely used by banks, industrial 
and go\erment organization to convey highly sensitive and privileged information 
information security has become extremely important and much attention has been 
focused onto this area 

The three most needed operations for achieMng data secrecy and data au 
thenticity are encryption decryption and digital signature Encryption is the 
process of encoding the data at the transmitting end so as to hide its substance The 
data to be encrypted is called plaintext and the encrypted data is called cipher 
text The process to recover the plaintext from the ciphertext at the receiving end 
IS called decryption Digital signatures, electronic analog of handwritten signatures, 
are used for proving sender’s identity to receiver This process is called authenti- 
cation These operations are controlled by a cryptographic key or a pair of keys, 
depending upon the type of cryptosystems used, i e private key cryptosystems 
or public key cryptosystems 

1 2 Private Key Cryptography 

In this type of cryptography the security of the whole cryptosystem relies on a single 
key This key, a string of bits, is kept secret because disclosure of this key breaks 
down the security of the whole system To use such a system, sender and receiver 
initially agree upon a secret key and both possess this key in advance before starting 
communication They may do this, for example, by physically meeting or by using 
the services of a trusted courier Now sender encrypts the plaintext by using this 
secret key and at the receiving end, receiver decrypts the ciphertext using the same 
key and recovers the plaintext Since, any third person does not have this key so 
data secrecy is sustained The most widely used private key cryptosystem today 
IS the Data Encryption Standard [NBS77] To know more about private key 
cryptography, see [Sta95 Sch93, Sim91, Denn] 

Although private key cryptography is adequate for many applications, it 
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suffers from some problems First is key distribution problem, as a secret channel for 
selecting a common key may not be available Second is key management problem as 
eier> pair of users must share a different secret key so if the number of users is large 
then the number of keys becomes unmanageable Moreover, no signature possible , 
as sender and receiver have the same capabilities for encryption and decryption so 
receiver cannot convince a third party that a message he received from sender in 
fact originated from sender 

To avoid these three deficiencies m private key cryptography, a need was 
felt to devise some suitable alternative Consequently, m 1976, W Difl&e and M 
Heilman [DH76, DH79] invented public key cryptography 

1 3 Public Key Cryptography 

The invention of public key cryptography, in 1976 came a new revolution m the 
field of cryptography and today, vhere several good public key cryptosystems have 
already come m the market, the research m this area is continuously going on to 
devise better and better systems The public key cryptosystems are the two key 
cryptosystems, wherein each user has both a public and private key and the two 
users can communicate knowing only each other s public keys The public keys of 
all the users are publicly available in any database over the network so, any user can 
get the public key of any other user from this database Now if a user wants to send 
some message to any other user, the sender encrypts the message by using his/her 
private key and the receiver’s public key At the receiving end receiver decrypts the 
ciphertext by using his/her private key and the sender s public key Since private 
key of the receiver does not possess by any other, data secrecy is sustained because 
no other person can decrypt the received data Moreover, data authenticity is also 
achieved since no other person can encrypt the data using transmitter’s private key 
In this way, the three deficiencies of private key cryptography are automatically 
removed m this type of cryptography 

Security of the public key cryptosystems relies on a very useful and inter 
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esting property of some special type of mathematical functions known as one way 
functions A one way function is an invertible function which is very easy to com 
put( in the one direction but verj difficult m the reverse direction One example 
IS it IS easy to compute n = pq, where p and q are two large primes but it is very 
difficult to find p and q if their product, n is known This property of one way 
function is well known as integer factorization problem The other example is 
it IS easy to compute 6 = a^, if a and x are given but it is very difficult to find x 
from this equation under a large finite multiplicative group This one way property 
IS well known as discrete logarithm problem This problem is considered to be 
very difficult if the order of the group G is very large The points on an elliptic 
curve also form a one way function as we will see in chapter 2 

1 4 RSA Today’s most widely used public key 
cryptosystem 

The RSA cryptosystem was invented in 1977 by Rivest Shamir and Adleman 
[RSA78] and today it is the most widely used public key cryptosystem The se 
curity of RSA system relies on the factorization of a large integer To set up this 
system each user A picks two large primes p and q and computes their product n 
= pq A’s public key is the pair of integers (n,e) and his/her private key is d The 
arithmetic is done over a finite multiplicative group of units m the integers modulo 
n, as shown below 

Encryption C = M® mod n, where M is the message block e [0, n-1] 

Decryption M = mod n, simultaneously e and d satisfy the relation 
ed mod $(n) = 1, where $(n) = (p l)(q 1) 

Prom the above arithmetic, it is clear that the security of the RSA cryptosystem 
relies on the factorization of n In other words, breaking the RSA is equivalent to 
factoring n A great deal of progress has been made in devising efficient algorithms 
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for factoring integers and thus threatened the security of RSA With the current 
state of our knowledge and technology if p and q are each about 100 decimal digits 
then n is 200 digits, then factoring n is an intractable problem So, if n d, and e are 
each 200 decimal digits (664 bits), the storage requirement per user are about 2,000 
bits Since both e and n must be made public, the public storage requirements are 
thus about 1 3 kilobits per user Simultaneously, to encrypt or decrypt a 664 bit 
number requires 1 2 multiplications m modular arithmetic per bit, or about 1,000 
multiplications total In this regard of storage and processing requirement, RSA is 
unsuitable for applications where processing power and storage space are 
limited One such application is smart card where processing power and storage 
space are crucial issues 

1 5 Cryptographic Smart Card an ultimate se- 
cure device 

Internet commerce, pay channel television, public telephones, data access control 
etc are such areas that have led to heightened demand of an information security 
device, known as smart card This pocket size plastic card looks like an ordinary 
credit card but contains memory and processing capabilities The smart card, m 
fact IS a multipurpose, tamper resistant security device which is equipped with 
volatile and non volatile memory and a microprocessor, all on a single 20 mw? 
chip, for carrying out the computations for various security services like encryption, 
decryption and digital signature The basic advantage of the smart card is that the 
secret key of the user is stored in a nonvolatile memory and never leaves the card 
All the processing required for encryption and decryption is done on the card itself 
Since, development of an efficient smart card cryptosystem is an important 
issue today, there is a need to point out the limitation of current system and to 
go for some better system to avoid these limitations Due to its small size and 
small processing power, the selected public key algorithm for smart card should 
have storage and processing requirements as minimum as possible Presently, the 
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RSA IS being widely used for smart cards and significant advances have also been 
made on efficient implementation of these cryptosystems including, custom VLSI 
chips [OSA92 VVDJ92, Bri89] and very efficient digital signal processor software 
implementations on Texas Instruments TMS32010 [PB86] and Motorola DSP56000 
[DJ91] Keeping in mind the present state of computational technology, the RSA 
system requires modular arithmetic of at least 512 bit integers The chip [IWSD92] 
designed to do modular multiplication of 512 bit numbers has about 50,000 gates 
while the chip designed to perform arithmetic in the field F 2 M 3 has about 90 000 
gates With current technology placing these devices on a 20 mni^ smart card chip 
IS a complicated and expensive procedure Moreover, under the recent improvement 
in integer factorization and parallel processing, the security of these systems is facing 
a serious threat Recently, Lenstra et al were able to factor a 450 bit composite 
integer using distributed processing Hence for the cryptosystems to be secure the 
size of the modulo integers needs to be increased further This leads to further 
increase the VLSI implementation related problems 

Because of all these reasons, alternatives of RSA are being looked with great 
interest One suitable alternative, that may become a proper substitute for RSA in 
future is elliptic curve cryptosystems 

1 6 Elliptic Curve Public Key Cryptosystems a 
proper substitution of RSA in future 

The theory of elliptic curves is not a very new in the field of algebraic geometry 
and number theory but application of these curves in the field of cryptography is 
a new idea Elliptic curves were first suggested in 1985 by N Koblitz [KOB87] 
and V Miller [MILL85] for implementing public key cryptosystems The points on 
an elliptic curve over a finite field form an abelian group The binary operation 
for this abelian group involves few arithmetic operations in the field over which 
curve is defined Moreover, the discrete logarithm problem in this group is very 
much difficult as compared to the discrete logarithm problem over the field itself 


6 



of the same size Although there are several algorithms for finding logarithm in a 
finite field but there are only a few which are applicable over any arbitrary group In 
particular there seems to be no proper choice of any algorithm for the group formed 
bj the point on the curve Due to this reason, the field size over which curve is 
defined can be made smaller, for example F2155 or even F2135, without compromising 
on security Furthermore, over a given field, there is a number of different elliptic 
curves possible Consequently using the same hardware, user can change the chosen 
curve periodically for gaming extra security 

Since, elliptic curve public key cryptosystems provide equivalent security as 
the RSA even with shorter key lengths and hence provide much smaller bandwidth, 
memory and processing requirements, these systems may be very useful in the de 
sign of smart card based cryptosystems Prom the point of view of the hardware 
implementation, a VLSI chip F2155 ASIC (application specific integrated circuit) 
has been built [AMV93] to demonstrate the feasibility of such devices It has only 
about 11 000 gates and the complete elliptic curve cryptosystem over F2166 could 
be fabricated and use up less than 4% of the 20mm^ designated for a smart card 
processor 


1 7 What has been done in this thesis 

Since elliptic curve cryptosystems may offer equivalent security as RSA, even with 
much smaller memory and processing requirements, a lot of work in this particular 
area of cryptography is being done with the increasing popularity of smart card and 
electronic commerce This thesis also is aimed on the software implementation of 
elliptic curve public key cryptosystems Simultaneously, design issues of smart card 
have been discussed A brief survey on electronic commerce is also included 
The work, done in this thesis, is as follows 

• Subroutines for efficient arithmetic m GF(2") are written 

• A package for encryption and decryption with very small key lengths of about 
100 bits For example, over GF{ 2 ^^^) 
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This package maj be useful m applications where the public keys are desired 
to be as small as possible without loosing any security One such application 
is secure e mail exchange or secure transmission of message bj fax This has 
been successfully tested on the Pentium 100 MHZ/DOS and Pentium 150 
MHZ/Lmux 

• A package for encryption and decryption over much higher fields upto 

on TMS320C40 25 MHZ digital signal processor using optimizing C cross com 
piler 

• A brief study on smart card and e commerce 

All the implementation work has been done m today’s most general purpose 
language ANSI C, without using any ready made package So, this must be useful 
one at application level vhere one vould not like to install whole package for getting 
services like email security 

1 8 Organization of Thesis 

The thesis is organized into 6 chapters, including the present one Chapter 2 intro 
duces the notion of elliptic curves over GF(2") and covers some arithmetic results 
which are necessary for implementation Chapter 3 describes the elliptic curve dis 
Crete logarithm problem with its security aspects Various algorithms have been 
discussed to compute it It also suggests that how an elliptic curve should be chosen 
for building a cryptosystem so that all algorithm fail to compute DLP In chapter 
4, we discuss some elliptic curve public key cryptosystems An elliptic curve based 
smart card cryptosystem has also been designed in this chapter In chapter 5 we 
have given the implementation work in detail All algorithms have been clearly 
specified with their implementation results Chapter 6 concludes the thesis The 
thesis also has one appendix in which a brief introduction on electronic commerce 
has been given 
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Chapter 2 


An Introduction to Elliptic Curves 


As we mentioned earlier, the points on an elliptic curve over a finite field constitute 
an abelian group In this chapter, we will introduce the notion of elliptic curves 
and see the arithmetic of these points over this abelian group and collect some 
results, which have been used in the implementation of elliptic curve public key 
cryptosystems 

Note Before reading this chapter, the readers should be familiar about algebraic 
number theory, class field theory and algebraic geometry For this, they may refer 
[PS92, Ono90, Cha88, IR82, Hec93, Coh78, Ros94, Sil94, FYa95, BJN94] 

2.1 Weierstrass Equation 

Let K is a finite field, F,, containing q elements, where g is a prime power Let 
K denotes its algebraic closure and P^{K) denotes the projective plane over K A 
Weierstrass equation is a homogeneous (projective) equation of degree 3 of the form 

Y^Z + aiXYZ + a^YZ^ = + a<iX'^Z + a^XZ"^ + a^Z"^, 

where Oi, 02 ? ^4) 0,6 ^ ^ 

If for all points P € P^{K) satisfying 
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El + aixy + azy = + a2X^ + UiX + 

E2 + aixy + dzy = x^ + asx^ + d^x + d^ 

are isomorphic over K, denoted Ei/K ^ E2/K, if and only if there exists u, r,s,t€ 
K,u^ 0, such that the change of variables 

(x, y) — > {u^x + r, u^y + u^sx + 1) 

transforms equation Ei to equation E2 The relationship of isomorphism is an 
equivalence relation 

2.3 Group Law 

As said earlier, the points on an elliptic curve constitute an abelian group Now we 
will see the addition rules over this group Let E be an elliptic curve given by the 
non-homogeneous Weierstrass equation The addition rules are given below 
For all P,Q € E 

1 O +P = P and P + O — P So O serves as the identity element 
2-0 = 0 

3 If P = {x\,yi) 7^ O, then — P = (a:i, —y\ — aiXi — 03) For a given elliptic 
curve P and — P are the only points with x-coordmate equal to xi 

4 If (5 = -P, thenP + Q = C> 

5 If P ^ O, Q ^ O, Q ^ — P, then let R be the third point of intersection of 
either the line PQ if P 7^ Q, or the tangent line to the curve at P if P = Q, 
with the curve Then P + Q = -R Or in other words, P + Q-\- R = O (from 
the axiom fourth) 
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2.4 Addition of Two Points on an Elliptic Curve 


In this section we will describe the axiom fifth of the group law in some detail Let 
E be an elliptic curve over a finite field GF(q) together with the point at infinity 
O It IS obvious from the degree of the Weierstrass equation that any line in affine 
plane will intersect the curve at exactly three points, say P, Q, R In case of the 
tangent line, P, Q, R may not be distinct 

Let P, Q G E, L the line passing through P and Q (tangent \i P = Q)., and 
R the third point of intersection of L with E Let L’ be the line connecting R and 
O as shown below Then P + Q is the point such that L’ intersects E at P, O and 
P + Q This can be easily verified that P + Q = —R and hence, P + Q + R = O 
from the fourth axiom of the group law 


Y 



Figure 2 1 Addition of two points over an Elliptic Curve 

Hence we see that the addition of two points on an elliptic curve is the inverse 
of the point at which the line passing through those two points cuts the curve Now 
we will see the explicit rational formulae for the coordinates of the resultant point 
P + Q in terms of the coordinates of P and Q 

Let P = (xi , yi) , Q = {x 2 , y 2 ),P + Q = {xs, ys) Then the slope of L, joining 
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P and Q, is 


m = < 


y 2 -y\ 

X2-X1 

3xf+2a2Xi+a4-aiyi 

2T/i4-aiXi-fa3 


if P = Q 


If f = j/i — mxi, then the equation defining L is y = mx + c Now, by substituting 
y = mx + c into Weierstrass equation and doing some simple algebraic manipula- 
tion, the coordinates of third point of intersection of line L with the curve E can be 
obtained and given by 


xz = m? + aim — a2 — Xi — X2 
yz- -{m + ai)x 3 -c-a^ 


So, if P, Q € E/K, then computing P -f Q involves just a few arithmetic operations 
in the field K Hence if K is a finite field, then computing P + Q takes polynomial 
time 


2.5 The Discriminant and j-invariant 

In this section, we will introduce two useful quantities for a given elliptic curve Let 
E be a curve given by a non-homogeneous Weierstrass equation Define the quanti- 
ties 


d2 = af 402 

dll — 2fl4 + Oifls 
dfi = 03 + 406 

dz — o^oe -f 402O6 — 01O3O4 -l- 02O3 o^ 
C4 = dj — 24(^4 

A = -^dz - Sdl - 27di -h 9d2d4d6 
y(P) = c|/A 
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The quantity A is called the discrtminani of the equation and j{E) is called the 
j — nivQTiant of E if A ^ 0 These two quantities play a significant role in defining 
the non-singulanty and isomorphic property of elliptic curves A given elliptic curve 
E IS non-singular if and only if A 0 From isomorphism viewpoint, two elliptic 
curves Ei/K and E 2 /K are isomorphic over K, if j{Ei) = 

2.6 Curves over K, char(k) = 2 

Since we have used the curves over GE(2”) to implement the cryptosystems, we will 
consider only the curves over K with char(K) = 2 

Let K be a field of characteristic 2, and let E/K be the elliptic curve given by the 
Weierstrass equation 

E + dixy -t- d^y = -|- d2X^ + diX -f- d^ 

For this curve the j — invariant is (ai)^^/A 

If j (E) 0, then by the property of isomorphism, the admissible change of variables 

(z, y) — ^ [di^x + f , ai^y -f 
transforms E to the curve 
Ei/K y"^ xy = x^ a 2 x‘^ -f a^ 

For this transformed curve A = ae and j — invariant = l/ag 
If j{E) = 0, then the admissible change of variables 

{x,y) — >{x + d2,y) 

transforms E to the curve 
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E2IK + aay = + a^x + Og 


For this curve, A = al and j-invariant = 0 

Now we will see the addition formulas for the tw^o given points P and Q 
over these transformed curves, both for the cur\es with j{E) 7^ 0 as well as the the 
curves with j (E) = 0 

Addition formula when j (E) 7^ 0 

Let P = {xi,yi) e El, then -P = {xi,yi +xi) If (Q = (212,2/2) G Ei and 
Q ^ -P, then P + Q = (x^, 2/3), where 


and 


X3 = 


, + ^,+^i+^2 + a2, 


Pt^Q 

P = Q 


2/3 


/ te)(^i + ^3) + x3 + yi, P#Q 
Xj + ^xi + X3 + X3, P = Q 


Addition Formula when j (E) = 0 

Let P = (211,2/1) G E2, then -P = (211,2/1 + as) If Q = (^2,2/2) G E2 and 
Q # -P, then P ■+ Q = {xz,yz), where 


2^3 


= < 


Pi^Q 
P = Q 


and 


2/3 


^ ^3) + 2/1 + “3, P ¥^Q 

(fi±£.l) (ajj -1- xz) + 2/1 + as, P = Q 
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2.7 Order of an Elliptic Curve 

If elliptic curve E is given by the non-homogeneous Weierstrass equation then the 
number of solutions of this equation together with the point at infinity O is called 
the order of the elliptic curve E Let E be defined over Fg Let q — where p 
(a prime) is the characteristic of Fg We denote the number of points m E{Fg) by 
#E{Fg) Since the maximum degree of y in the Weierstrass equation is 2 so, it has 
at most 2 solutions for each choice of a; G F, and hence #E{Fg) < 2g+l Remember 
that, the added one indicates the point at infinity 

In 1985, School [Sch85] presented a polynomial time algorithm for comput- 
ing The algorithm has a running time of O(log®g) bit operations, and is 

rather cumbersome m practice Buchmann and Muller [BM91] combined Schoof’s 
algorithm with Shanks’ baby-step giant-step algorithm and were able to compute 
#F(F,) over 27-digit prime field m 4 5 hours on a SUN-1 SPARC-station 

Now we will see the bound on the order of an elliptic curve, given by Basse 
in his following theorem 

2.8 Hasse Theorem 

Let if^E{Fg) = q + l — t Then \t\ < 2y/q 

An important consequence of Basse’s Theorem is that we can pick points P uni- 
formly and randomly on an elliptic curve E{Fg) in probabilistic polynomial time 

If t is divisible by the characteristic of Fg then the elliptic curve E{Fq) is 
said to be super singular Otherwise it is called non — super singular In fact, an 
elliptic curve is super-singular if and only if F = 0, q, 2q, 3g, or 4q 

In 1990, Menezes, Okamoto and Vanstone demonstrated that the discrete 
logarithm problem on a supersingular elliptic curve can be reduced to the discrete 
logarithm problem m a finite field This result means that we should avoid the set 
of super-singular curves if we want to have a cryptosystem whose cracking problem 
IS of fully exponential complexity 

With this we conclude this chapter Actually, we covered here only an 
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elementary introduction of elliptic curves and gave only some important results 
For going into details, the interested readers may refer [Men93, Cass91, Hus87, 
Kob84, Lang78] For an introduction to the general theory of algebraic curves, the 
readers maj refer to [Fult69, More91] 
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Chapter 3 


Elliptic Curve Discrete Logarithm 
Problem : Attacks and Remedies 


The discrete logarithm problem in some finite group G is the foundation of the 
building of many public key cryptosystems that are being used today Elliptic curve 
cryptosystems are also designed on the bases of discrete logarithm problem One of 
the best example of such type of cryptosystems is ElGamal cryptosystem, proposed 
by T ElGamal in 1985 [E1G85] Since, the security of the whole cryptosystem relies 
m the presumed intractability of the discrete logarithm problem, it has received 
a great deal of attention in recent years, and the numerous algorithms have been 
devised to solve it In this chapter, first we will introduce DLP over a finite abelian 
group and a group constitute by the points of an elliptic curve over a finite field 
Then we will consider various algorithms that threaten the security of the DLP 
based cryptosystems After this we will determine the conditions for which a known 
algorithm will fail and hence security is sustained Finally, we will see that how the 
elliptic curve cryptosystems are built by employing the discrete logarithm problem 

3.1 Discrete Logarithm problem (DLP) 

The discrete logarithm problem (DLP) in a finite multiplicative group G refers to 
computation of x for two elements a,b of G such that = b The integer x is said 
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to logarithm of h to base a, i e a; = log^ h This problem is known to be very difficult 
if the group order is large The intractability of this problem motivated Diffie and 
Heilman to introduce the concept of public key cryptography which exploits the 
difficulty of the finding discrete algorithm in a finite group as a security measure 
Initially, Diffie and Heilman’s idea was limited to discrete logarithm problem in mul- 
tiplicative group of GF(j)) but m 1985 it was generalized by ElGamal for any finite 
abelian group The application of DLP in cryptography has been one of the reasons 
for increased attention towards solving this problem in the field of cryptanalysis 
Consequently, several algorithm have been devised m the recent past for finding 
logarithms in finite abelian group 

Since, the ongoing research in the area of solving DLP seriously threatens 
the security of most of the existing public key cryptosystems, the search for more 
difficult DLP has been of great interest for cryptographers The elliptic curve based 
DLP IS one of the outcome of this search The DLP in an elliptic curve group refers 
to the computation of k for given P,Q E E such that 

k times 

Q=:kP= 'P + P+ TP 

This one way property provide a very difficult DLP even with a very small field 
size (of the order of P2135, or P2155) over which the curves are defined 

Now in the next section, we will briefly introduce various algorithms for 
finding discrete logarithm in a finite abelian group In each case, we will also compare 
the complexity of elliptic curve group based DLP with that of finite abelian group 
based DLP 


3.2 Various Attacks on DLP Based Cryptosys- 
tems 

There are various algorithms known for finding discrete logarithms in a finite abelian 
group and hence attack the security of DLP based cryptosystems The algorithms 
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can be categorized eis follows 


1 Algorithms which work in arbitrary groups (square root methods) 

2 Algorithms which work in arbitrary groups but exploit the subgroup structure 
(Pohlig-Hellman method) 

3 The index calculus methods 

4 MOV reduction attack for elliptic curves only 
Now we proceed to briefly describe each of these methods 

3.2.1 Square Root Methods 

These algorithms, work m any arbitrary cyclic group, are called square root method 
because their computational complexity is of the order of square root of the size of 
the group Let G denotes a finite abelian group of order m with a as the generator 
element Let mf = [\/m] One of the famous square root methods is Baby-Step 
Giant Step method 

Baby-Step Giant Step methodi 

Let = P Hence, the problem is to find x = log^ P The algorithm begins with 
precomputing a list of pairs (i, a*) for 0 < z < m' and storing it m memory Now for 
each j,0 < j < mf, compute Pa~^^' and check by applying binary search whether 
it equals any of a* in the stored list If the match is found for some i and j then 

_ Q,t 

P — ai + jm' 

=> log^, P = 1 + jm' 

By using some mathematical manipulation, it is easy to see that this algorithm 
requires storage of m' entries and 0{m' log m') steps for an arbitrary group In case 
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of elliptic curve group, the storage list will consists of multiples of generator point 
which further increase the storage requirements 

Now, if we select a finite abelian group ( any group, not necessarilj elliptic 
curve group ) of the order of 10^°, then this algorithm will not be feasible Hence, 
the group to be selected for secure cryptosystems are restricted to have size greater 
than 10^° 


3.2.2 Pohlig-Hellman Method 

Let G be an arbitrary group of the order m The method proceeds with factorization 
of m to determine various subgroups of G and then computes the discrete logarithm 
m each of the subgroup by using square root method Finally, Chinese remainder 
theorem [IR82] is applied to obtain the required result Let 

m = nj=i pI' 


where p, are primes and e^ are exponents Let x = log^^^ The algorithms be- 
gins with computation of = x mod p®* for each i 
suppose that Zt = z^tjP^ where 0 < Zij < Pi 
Let 7 i be the root of unity in G, i e 7 i = Then 


^m/p. _ Q,xm/p^ 





Now Zto can be computed using Baby-Step Giant-Step method m 0{y/p^{\ogpi)) 
steps and with 0{y/pl) storage requirement For the computation of z,i, we see that 
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In this way can be computed for all values of j Now for all z, can be computed 
by repeating above procedure After having all Zj, the required logarithm x can be 
computed using Chinese remainder theorem 

From the complexity viewpoint, this algorithm requires logPi) stor- 
age elements and ei(logm -l- y^logpi)) steps For this attack to be failed, 

the order of the group G must contain a large prime factor of the order of at least 
30 decimal digits integer 

3.2.3 Index Calculus Method 

Although this attack is the most pow^erful attack to find the discrete logarithm, it 
does not apply to any arbitrary abelian finite group 0\er multiplicative group in 
GF{p) and ^^(2”), this method has been successfully applied w'hereas in case of 
elliptic curve group it is not yet showm to be applicable This justifies the superiority 
of elliptic curve cryptosystems over other DLP based cryptosystems To see how 
this algorithm works, please refer [Men93a, Sim91] 

The complexity of this algorithm is given by 

L[m, a, c] = 0(exp((c + 0(l))(logm)“(loglogm)^““)) 

w^here c is a constant and 0 < a < 1 This algorithm poses a serious attack to 
cryptosystems which are based on DLP in GF{p) and GF{2'^) To avoid this type 
of attack, the field size should be of the order of at least 

3.2.4 MOV Reduction Attack ; An Attack on Elliptic Curve 
Cryptosystems Only 

Since we are concentrating mainly on elliptic curve cryptosystems, we will explain 
this attack in some detail for ensuring a secure cryptosystem ,This method which 
attacks specifically on the security of the elliptic curve cryptosystems only, is given 
by three cryptographers, Menezes, Okamato and Vanstone [Men93a, Men93b] and 
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hence called as MOV attack The method reduces the DLP in elliptic curve group 
GF{q) to the DLP in a suitable finite extension GF{q^) of GF(q) using Weil Pairing 
method [Men93a, Men93b, Sil85] For this attack to be applicable the multiplicative 
group of extension field GF{q^) must be divisible by the order of the elliptic curve 
defined over GF{q) If 4f^E{GF{q) = m then following condition must be satisfied 

q'^ = 1 mod m 

Now we first define Weil pairing [Sil85, Men93a, Men93b] Let 1 be a positive 
integer relatively prime to q Then the Weil pairing ei is a function 

ei E[l] X E[l] GF{q’^) 

where E[l] is subgroup of elliptic curve group of order I Some important prop- 
erties of the Weil pairing function e/, are 

1 Identity For all P e E[l], ei{P, P) = 1 

2 Alteration For all P,Q € £■[/], ei{P, Q) = ei{Q, P)~^ 

3 Bilinearity For all P,Q,Re E[l] 

&i{P + Q + i?) = ^liP-t R) S'lid 
ei{P,Q + R) = ei{P,Q)ei{P,R) 

4 If E[l] C E{GF{q)), then ei{P, Q) € GF(q) for all P,Q e 

Now let P be a point in E{GF{q)) of order I such that gcd{q,l) = 1 and 
R e< P > Then computation of elliptic curve discrete logarithm s such that 
R = sP, can be computed by using following algorithm 
Algorithm 

1 Begin 

2 Find the smallest extension degree k such that E[l] C E{GF{q^)) 
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3 Find Q e E[l] such that a = ei(P Q) and a' = 1 

4 Compute ^ = ei(P Q) 

5 Compute s, the discrete logarithm of p to the base a m GF{q'‘) 

6 End 

This algorithm requires the minimum field extension in which E[l] can be 
embedded If k is large then the algorithm takes long time in finding discrete 
logarithm as the size of the extension field becomes very large Since there are few 
isomorphic classes of super singular elliptic curves and for each class the order of 
the curve is known, k can easily be found It is found that fc is 4 and 6 for GF(2”) 
and GF{p) respectively Hence this method of computing discrete logarithm in 
elliptic curve group poses a serious threat of super singular based elliptic curves 
based cryptosystems Since there are plenty of choices for the order of the non 
supersingular curve over a given finite field the curves can be so selected that MOV 
attack becomes infeasible This is the reason why non supersigular curves are being 
looked with a great interest in the field of cryptography 

In the next section we will see various aspects regarding the selection of an 
elliptic curve to build a secure cryptosystem 

3 3 How Elliptic Curves Should be Selected Against 
all Possible Attacks 

In the previous section, we had been familiar with all possible attacks that can 
break the security of an elliptic curve cryptosystem Here we will see all possible 
solutions to make these attacks infeasible with the current computational resources 
and capabilities 

To make the square root attack infeasible, the order of the elliptic curve 
group must be greater than a 30 digits decimal number While to make the Pohlig 
Heilman attack infeasible, the order of the curve must contain a large prime factor 
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Hence to avoid both these attacks the order of the curve must contain a prime factor 
greater than 30 decimal digits number The index calculus attack is impractical over 
elliptic curves so ve should not worried about this attack 

Nov ve discuss the possible solutions to make MOV reduction attack infea 
sible for the curves over GF{2'^) Let us assume that #E{GF{2^)) = m = c*p where 
c IS a small number(say less than 100) and p is the large prime factor (greater than 
30 decimal digits) Since there are 7 and 3 isomorphism classes of super singular 
elliptic curves over over GF(2") for even and odd n respectively the MOV reduction 
attack IS very much effective for these curves The maximum value of the minimum 
degree of extension k is only 4 To make this attack infeasible the field GF(2") 
must be so chosen that the order of the curve contains a prime factor greater than 
30 decimal digits and extension field GF((2")^) is larger than GF(2™°) 

For non supersingular curves, Mijaji s variation of MOV algorithm [Miy91] 
IS applied for finding the discrete logarithm In this modified algorithm, the DLP 
over non supersingular curve (always having an even order) is mapped to the DLP 
m the subgroup of the given curve group which has an odd order Remember that 
777, = c * p IS even for non supersingular curve Let d be odd part of c If the prime 
factor p IS such that (p — l)/2 is B nonsmooth (i e (p — l)/2 has no factor less than 
B) and 

(2")^'^{^ ) ^ I mod{dp) 
then k will be greater than B 

Hence we conclude this discussion with a result that to obtain a secure 
elliptic curve cryptosystem against all possible attacks the order of the selected 
elliptic curve must contain a prime factor of at least 30 decimal digits and the 
extension degree for MOV attack must be controlled by a lower bound 

3 4 Cryptographic Implications 

The discrete logarithm problem in Fp, p a 192 bit prime, has been recently computed 
by La Macchia and Odlyzko [MaOd91] using index calculus method But it does 
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not seem to be practical for Fp where p < 2®^^ Gordon and McCurely [GoMc92] 
recentlj indicated that computing discrete logarithms in ^ 2 ™ for m about 500 is 
barely feasible given large amount of computer resources Therefore it appears that 
given the best algorithms kno%\n for the discrete logarithm problem m finite fields 
and given the best available computer technology the discrete logarithm is infeasible 
for finite fields of size greater than 2®°° 

Now we comment on the security aspects of a family of super-singular 
curves defined as, 

y"^ + y = + b over F^m m odd 

that has previously been suggested for the implementation of elliptic curve cryp- 
tosystems Since the k value of MOV reduction attack for these curves is 2, the 
DLP in these curves is efficiently reducible to the DLP in the quadratic extension 
of the given field A particular member of this family given as, 

E y'^ + y = 

is especiallj attractive for implementation purpose It is now clear that using E 
over F 2 m is no more secure than using the cyclic group m F 22 m Since the cost of 
computations on the curve is higher than that of m F 22 m , such a curve is inferior for 
cryptographic purposes to other existing systems This curve was first considered for 
the implementation purpose by Koblitz [Kob87] with the particular values m = 61 
and m = 127 These curves are obviously inadequate for cryptographic purposes, 
since DLP in the fields F 2122 and F 2254 is very much feasible Later m = 191 and 
m = 251 were suggested but these curves should also be avoided for the same reasons 
Alternative to the curve y'^ + y = x^ are the super singular curves -f y = 4- x 

and y^-fy = x^-|-x-|-l over T 2 ’" ^ odd These curves have k value equal to 4 

With this discussion, we conclude this chapter In this chapter, we discussed 
various methods for breaking the discrete logarithm problem Simultaneously, we 
derived necessary and sufficient conditions for chosen elliptic curve to make all these 
methods infeasible In the next chapter, we will see that how elliptic curve cryptosys 
terns are built by employing elliptic curve discrete logarithm problem Our focus 
will be mainly upon the designing of an elliptic curve smart card cryptosystem 
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Chapter 4 


Some Elliptic Curve Public Key 
Schemes and Design of an Elliptic 
Curve Based Smart Card 
Cryptosystem 


In the previous chapter, we discussed various security aspects of elliptic curve dis 
Crete logarithm problem and all possible solutions for this problem to be unbreakable 
Here, we will see that how this discrete logarithm problem is employed in designing 
of cryptosystems Remember that the designed cryptosystems to be secure, the se 
lected elliptic curve must satisfy all the conditions derived m the previous chapter 
To understand design and setup of these systems, we shall discuss the elliptic curve 
analogs of some well known public key schemes and then we will design an elliptic 
curve based smart card cryptosystem 


4 1 Elliptic Curve Analog of Diffie-Hellman Key 
Exchange Scheme 

Pm ate kej crj ptos^ stems on the one hand work faster but on the other hand 
they suffer with the key distribution problem as mentioned in the chapter 1 Public 
key cryptosystems do not have any key distribution problem but they work slower 
Keeping this m mind Difhe and Heilman m 1976, ga\e a public key scheme [DH76] 
to share a common secret key over an insecure communication channel Later, this 
secret key can be used in a private key cryptosystem such as DES The cryptosystem 
IS hence, called hybrid cryptosystem Diffie and Heilman gave this key exchange 
scheme over any arbitrary group we will describe this scheme in terms of elliptic 
curve group 

Suppose A and B want to share a common secret ke> over an insecure 
channel For this, they first publicly choose a finite field Fq and an elliptic curve E 
defined over it Then they publicly choose a point P € E To generate a common 
seciet key, A chooses a random integer a which he keeps secret Now he computes 
aP G E and transmits aP to B over a public communication channel Similarly, 
B generates a secret random integer b, computes bP G E, and transmits bP to A 
over the same channel A receives bP and computes a(bP) G E B recieves aP and 
computes b{aP) In this way, both A and B share a common key given by abP 
It IS clear that without solving the discrete logarithm problem there is no way to 
compute abP knowing only aP and bP 

4 2 Elliptic Curve Analog of ElGamal Scheme over 
Fq, q = for Message Encryption and De- 
cryption 

An elliptic curve analog of Elgamal scheme was first suggested by Koblitz [Kob87] 
Consider an elliptic curve E{Fq) defined over Fq with order ifE{Fq) Let P € E he 



a fixed and publicly known point Each user chooses an integer ki randomlj, such 
that 0 < ki < -jj^E{Fq) and makes point k P public while keeping /c, secret 

Message Imbedding 

The mapping of plaintext messages to some points on the working curve is the 
Message Imbedding Before encrypting the messages are made into blocks and 
each block is suitably related to a point on the curve This has to be done in a sim 
pie systematic way, so that the plaintext m which is an integer in some range can 
readily be determined from the knowledge of the coordinates of the corresponding 
point Pjn Koblitz gave a probabilistic method to imbed plaintexts as points on an 
elliptic curve E defined over F,, where q = p'' \s assumed to be large For knowing 
about this method, refer [Kob87 Kumar96] 

Encryption/Decryption 

Let A and B are two users having the private keys ki and /c 2 respectively The 
public key of A is kyP and of B is k 2 P If A has to send a mapped message P^ to 
B he computes and transmits the follow mg ciphertext to B 
C=(/ciP, PmPkiik^P)) 

So the computations involved in encryption are kiP and ki{k 2 P) Remember that 
ki , the encryption key, is not fixed It is chosen at the time of encryption 
At the recieving end B multiplies the first part of the recieved ciphertext, i e kiP 
b\ his secret key k 2 and obtains k 2 {kiP) This computed term now he subtracts 
from the second part of the recieved ciphertext and gets the original message Pm as 
shown below 

Pm = Pm + hik2P)-k2{kiP) 

In this way, we see that the security of this system relies on the elliptic curve discrete 
logarithm problem 
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4 3 Elliptic Curve ElGamal Cryptosystems over 

1 ^ 2 ’’^ 

These die the systems which we have implemented in this thesis Implementation 
of ElGamal scheme over F 2 m [MV90, MV93] has a slightly different approach Now 
we will see how this approach works Let us consider a non supersingular curve 
E y'^ + xy = + xq defined over F 2 m and let P be a publicly known 

point on E Assume that the elements of F 2 m are represented in normal basis 
[LdNd] The advantages of this assumption we will explain m the chapter based 
on efficient implementation issues Well, user A randomly chooses an integer a 
and makes public the point aP, and keeps a secret To transmit the message pair 
{Ml M 2 ) to A sender B selects a random integer k and computes the point kP and 
k{aP) = {x,y) Since the event x = 0 or y = 0 occurs with negligible probability for 
randomly choosen k we can assume x y ^ 0 B then sends A the point kP and 
the field elements MiX and M 2 y At the recievmg end to read the message, reciever 
A multiplies the first part of the ciphertext kP bj his secret key a and obtains 
a{kP) - {x,y) from which he can recover Mi and M 2 by dividing the recived MiX 
and M 2 y m two divisions 

Based on this scheme, we have made a processor and operating system 
independent software package for encryption/decryption over GF{2^^^) We have 
also made an effort to implement this scheme over much higher field, upto GF(2^°°), 
on the Texas’ digital signal processor 


4 4 Elliptic Curve Analog of RSA 

In broadcast applications the conventional R,SA system, based on the integer fac 
torization problem, is not secure if the encryption key e is small this was first shown 
by Hastad, in 1985 Actully he presented a paper [Hast85] in which he shown that 
an attack based on the Hastad theorem, called the low exponent attack is very 
effective against the conventional RSA Later it has been shown in [KK94,KOT94] 
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that RSA t}pe crj ptosystems over elliptic curves such as the KMOV and Demytko 
cryptosj stems are more secure than the original RSA against the low exponent at 
t ick or more clearlj low multiplier attack in terms of elliptic curve terminology 
To know more about the working of these systems and about low exponent attack 
the interested readers may refer to [Kumar96] 


4 5 An Elliptic Curve Based Smart Card Cryp- 
tosystem 

The more our society becomes computerized, the greater are the risks from banking 
fraud, economic sabotage, industrial spying etc An obvious conclusion is that our 
computerized open systems require additional security Cryptography is a powerful 
security tool m the field of information technology However the expansion of public 
cryptologic knowledge is moderated by goverment and political concerns aiming at 
controlling the spread of cryptologic technology and devices expressed most often 
m the form of embargos or export controls 

The smart card, which stores processes, and controls internal cryptographic 
algorithms, [GuUg86, HaWa88] as we will see, suggests solutions that may sat 
isfy both national regulations and commercial needs Smart cards are already in 
widespread public use Through this user friendly technology cryptology is mvad 
mg our everyday life This invasion has a large influence on security in various fields 
of applications, not only in banking, but also m the areas of health, pay television 
telephone home computers, data processing communication network, and more 
generally, information technology This pocket size computer is so popular today 
that some consider it to be a fourth level in the hierarchy after the host computer, 
the departmental computer, and the personal computer 
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4 5 1 What a Smart Card is 


At first glance a smart card appears to be simplj an improved traditional credit 
c ird But a smart card is in realitj a multipurpose tamper resistant security dc\ice 
which IS capable of doing cryptographic operations like encryption, decryption and 
digital signatures All the computations are done on the card itself without requiring 
any external computing resources This guarantees that all the secret informations 
are kept on the card itself, they never leave the card Because of all these features 
the smart cards are highly reliable devices as far as security is concerned 

Traditional financial cards or more simply ATM cards are magnetic strips 
cards which do not have any processing capability They can only store the data 
Smart cards on the other hand can process the data as well in addition to store it 
Actually, this pocket size plastic card possess a single 20 mrr? VLSI chip which is 
reponsible for doing various cryptographic operation This idea of inserting a chip 
into a plastic card is not new but practical public key applications emerged only a 
few Years ago because of previous limitations in the storage and processing capacities 
of circuit technology 

The chip embedded in a smart card is a single chip microcomputer (MCU) 
A MCU IS a computer system integrated onto a single piece of silicon The only 
computerlike resources it lacks are the external human interface devices such as 
keyboards displays, disk drives, etc The major difference between this MCU and a 
general purpose MCU is that a general purpose MCU can be used in any operating 
mode selected by the user and internal data and address buses can be accessed from 
outside hence internal contents can be changed While, with MCU, designed for 
smart card, the only possible operating mode is the use mode After the device has 
been tested and passed as fully functional by the manufacturer, the users can only 
use it under the exclusive control of the user software in the on board ROM The 
internal buses are never accessible from outside 
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4 5 2 The Internal Architecture of a Smart Card 


To illustrate that what are the \anous components a smart card must have to 
perform the required task we will discuss in this section smart card IC chip in some 
detail 

A smart card IC is consructed from predefined logic modules as shown in 
the figure ’ Smart Card Microarchitecture ’ Before passing it finally to the market 
each and every module must be tested for its inputs, outputs, operations and security 
capability 



RST 

Vcc 

GND 


CLK 


Figure 4 1 Smart Card Microarchitecture 


The major part of a smart card IC is its on chip memory The memory 
can be divided into four distinct areas RAM, system ROM user ROM, and user 
EEPROM The amount of RAM and ROM can vary from card to card depending 
upon the type of application that the card has to handle The typical figures are 
given in the table 
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RAM 

128 960 bytes 

System ROM 

1 8 KB 

Usci ROM 

6 24 KB 

Usci EEPROM 

256 bytes 8 KB 


Each memory area has a user defined memory access contol logic, which provides 
full separation between on chip application code and the data 

The system ROM holds basic I/O, test and security function These func 
tions are based on a firmware library that maximizes security The user ROM holds 
the operating system code This code will differ depending upon the requirements 
of various end applications Since both the system and the user areas are ROM 
their code contents are placed in the device at the time of manufacturing so that 
the> are fixed for the lifetime of the smart card The user EEPROM area stores 
variable data such as personal data keys, a purchase history, perhaps your Social 
Security number and favorite telephone numbers It is partitioned into several zones 
corresponding to different uses and accesses modes from the outside of the card 

• The SECRET ZONE is impossible to read from outside the chip, either by 
logical or physical way 

• The ACCESS ZONE is a service one in which are memorized access using 
the issuer s or the user’s keys This memory allows to count good or wrong 
submitted keys, and to lock the circuit in case of several wrong submitted keys 
(usually three) 

• The CONFIDENTIAL ZONE can be read if the good issuer s or user’s key is 
given It contains generally personal or sensitive data 

• The TRANSACTION ZONE is used during the current life of the card This 
can be read or written, with or without a key according the application 

The CPU designed for smart card is usally 8-bit microcontroller but 32-bit 
IS also under developement The CPU features extended addressing modes and an 
instruction set that is especially designed for writing high security applications The 
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cuds microcontroller executes the cryptographic application programs which are 
stored in ROM at the time of the manufacturing The most common cores being 
Motorola s 68HC05 and Intel s 80C51 Recently, SGS Thomson also developed a 
lov power logic smart card IC ST19 

For cryptographic applications the modular arithmetic processor provides 
public key cryptography calculations using up to 512 bit or 1024-bit keys When 
this is used together with the on chip random number generator the IC can perform 
full public key generation digital signatures, and authentication internally This 
capability guarantees that the secret key will never be known outside the smartcard 
and contributes to the overall security of the system 

4 5 3 About Smart Card Software 

No CPU based system is ever complete without a firmware developement s^stem 
This, too, IS provided both as a complete developement system and as Crypto 
Libiar} support routines The Crypto Library can be provided m the system ROM 
area, leaving 6 to 24 KB of user ROM available for the application software 
The cryptographic library provides firmware functions for 

• Basic math, including modular squaring and multiplication for various length 
digits 

• Generating long random numbers 

• Calculating Montgomery constants which are required for long-number mod 
ulai arithmetic 

• Modular exponentiation 

• More elaborate functions such as RSA signatures and authentication for any 
modulo length upto 1024 Or 2048 bits (depending on the required security 

level) 

• Full internal key generation for signatures and authentications 
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4 5 4 High-level implementation of Smart card 

IIow an user can get various cryptographic ser\ices from the card ve will see this 
now During high le\el implementation it is generally recommended to separate the 
civptographic scheme (RSA DSA and so on) from the cryptographic operations 
(sign verify encrypt decrvpt hash and key exchange) Designers can achieve this 
by implementing an I/O buffer m the card into which the terminal writes data to 
be processed In this model the following steps are executed whenever the card 
performs a cryptographic operation 

1 A put command selects a key file specific to a scheme 

2 A put command writes data to process (message ciphertext signature, and 
so on) to the I/O RAM buffer 

3 A get command (specific to an operation) retrie\es the card s result 

Such an approach results m a simplified command set and allows upgrading of the 
card without adding new command codes The following toy example illustrates 

• the encryption of the message ’’process me that’ with the RSA keys contained 
m the file 2401, 

• the signature of the message ”123” by DSA file 334A, and 

• a Diffie Heilman key exchange with the keys contained in the file E1F3 

select file 2401 exchange card to reader 

{RSA, 768, s/e/i} /*= TYPE in DOS */ 

File selection returns the key file type (here 768 bit RSA) and the cryptographic 
operations allowed with this file (s=signature and verification, e=encryption and 
decryption, i=identification, k=key echange) 


put data 


exchange reader to card 



{ pioc(ss rnc that’} 


/* data to process */ 


get data 

encrypt 0000 exchange card to reader 

{” E32A371B908AB37” } /*=ENCRYPT EXE * / 

The 0000 sent to the card means that the result (here the ciphertext begin 
ning E32) should be sent to the terminal A nonzero code would indicate a file ID 
where the ciphertext should be written 


select file 334A 

exchange card to reader 

{DSA 512, &} 

TYPE in DOS */ 

put data 

exchange reader to card 

{ 123’ } 

/* data to process */ 

get data 


sign 0000 

exchange card to reader 

{” ADEG03B826FDE04” } 

SIGN EXE 

select file E1F3 

exchange card to reader 

{D H, 512, k} 

type in DOS */ 

put data 

exchange reader to card 

{ process me that”) 

/* mod p */ 

get data 


key exchange 2010 

exchange card to reader 

{’AE589EB6A564CDD”} 

KEY EXCH EXE returns mod p 

During a key exchange, the 

; user must specify a destination file ID 


for the common key The outside world can never access this value 


*/ 

(here 2010) 


4 5 5 What can a Smart Card Do in a Cryptosystem 

In a cryptosystem, the main purpose of the smart card is to authenticate the card 
holder to a system which is located at a remote place [sch89, Miy92] The smart 
cards are first initialized with proper keys so that a secure communication can be 
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clone using a cryptographic algorithm For interfacing with the external world, smart 
c uds ire inserted in a device called smart card reader attached to your PC or work 
st ition Once a smart card is inserted the following operations are performed 

• User to Smart Card Authetication The card must be sure that the 
right card holder is present during some operations For this, every user is 
given a number called personal identification number (PIN) Using this PIN 
smart card identifies the user The basic drawback with PIN identification is 
that if it leaks out then the correct identification will not be guaranteed An 
alternative is, to use biometric techniques, i e voice finger print image etc 
But these techniques require more memory 

• Smart Card to Remote System Authentication After the user authen 
tication, the validity of the card to the remote system at the other end has to 
be checked Whether the inserted card is authorized one or not, this has to be 
checked by the remotely located system otherwise manufacturing of the fraud 
card comes into picture 

• Remote System to Smart Card Authentication Now there is a need for 
the remote system also to be authenticated to the smart card at the tramsmit- 
tmg end A similar protocol is run from the remote system to the card 

Once, all of these authentication are done successfully, the user is granted 
access to the system and further communication can take place 

Now at this point we have been familiar about a cryptographic smart card 
Presently almost all the card manufacturer like Motorola, SGS Thomson Hitachi, 
Gemplus etc are using RSA and ElGamal schemes for encryption and decryption 
while Schnorr [sch89] for identification and signature The disadvantages of these 
schemes for smart card viewpoint we have already discussed in chapter 1 Recently 
Siemens has taken the step for elliptic curve based smart card manufacturing with 
keeping in the mind the various advantages that elliptic curves oflfer In the next 
section we will see that how elliptic curves may be employed for designing smart 

card cryptosystems 
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4 5 6 Elliptic Curve Based Smart Card 


Hcic discuss that an elliptic curve based discrete logarithm problem can be em 
plo'vcd in a smart card to perform the tasks mentioned in the previous section 
Wc vill considei the ElGamal scheme o\er GF{2^) for various authentication pro 
cesses involved in the card outside world transaction The message encryption and 
deciyption method have already been gisen in the Section 4 3 Here we will see 
the authentication only The process is similar to DifRe Heilman’s key exchange 
protocol 

Let P be a publicly choosen point on a publicly choosen elliptic curve E 
Let tc & [/(= up) and $ Sz S{— sP) be the private and public keys of the user and 
remote system repectively The remote s> stem maintains a data base for the public 
keys of the users The following information is required to be stored in the card 
memory 

1 Personal Identification Number (similar to password) of the user 

2 Card’s Identity number 

3 The modulo polynomial for GF(2") 

4 The coefficients of elliptic curve equation 

5 The coordinates of the point P 

6 The size of the order of the curve 

7 The secret key u 

8 The public keys U and S 

User to Card Authentication User inserts the card in a smart card reader 
and enters his PIN If the PIN matches with that stored in smart card memory, the 
process proceeds further otherwise terminates 

Card to Remote System Authentication The card sends its identity number 
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(not PIN) to the lemote system so that the system picks the corresponding public 
ke^ from its database Now the process proceeds as follows 

1 The I emote system finds a random integer k and computes kP The kP is 
sent to the card 

2 The card computes u(kP) using user’s secret key and sends it back to the 
remote system 

3 The remote system computes kU using user’s public key and compares with 
the received u(kP) If they match then the remote system can be sure of 
validit) of the card 

Remote System to Card Authentication A similar protocol runs as follows 

1 The card finds a random integer k and computes the hP The kP is sent to 
the remote system 

2 The remote system computes s{kP) using the secret key and sends it back to 
card 

3 The card computes kS using remote system’s public key and compares with 
s{kP) recieved from the remote system If they match then the card can be 
sure of \ alidity of the system 

The microcontoller of the smart card is programmed to perform all the 
computations required m the above protocols The application program is stored m 
ROM The EEPROM contains all the information specific to user and algorithm 
1 e public key, private key, algorithm parameter Since the size of the memory is 
limited, the storage requirements of any public key algorithm is one of the major 
criteria for its selection for the smart card To minimize the storage requirement, 
how the field and curve should be chosen for a smart card this we will see in the 

next section 


f 
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4 5 7 Selection of Field and Curve for Smart Cards 


Since the storage and computation requirements for a smart card based application 
are the crucial factors, our major concern here ■will be to minimize the storage for 
a smart card and also to select a field and curve so that computations involved are 
reduced 

We first concentrate on storage requirements [Miy92] -which is very impor 
tant in hardware implementation Let the selected field be GF(2") The information 
to be stored and corresponding storage requirement m bits is given below 

• The irreducible polynomial over which the field is selected The corresponding 
storage requirement is n + 1 bits 

• Cur\e coefficients a and b for the curve + xy — + ax^ + b The corre 

spondmg bits to be stored are 2n bits 

• The base point P {x, y) The corresponding storage requirement is 2n bits 

• Secret key For this at the most n bits are needed 

• Public key of self and the remote system as well The total 4n bits are needed 
for this 

• Size (number of bits) m the order of the curve 

• PIN and card identification number 

As we will see m the next chapter that optimal normal basis are very attractive 
for hardware implementation of GF{2^) as the squaring and addition each can be 
performed in one clock cycle and multiplier has the minimal complexity Unfortu 
nately, the ONB does not exist for every extension of GF(2‘^) But if the ONB 
exists in GF(2”) then it is uniqe and corresponding multiplier will also be uniqe 
irrespective of the modulo polynomial used for defining the field GF{2'^) Once we 
know the ONB representation of any element of GF(2'*) the modulo polynomial 
will not be required to be stored Hence there is a memory saving of n + 1 bits 
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If a non supersingular elliptic curve is selected then addition formulae re 
quire only coefficient a Hence only coefficient a needs to be stored The addition of 
tuo points on supersingular curves requires a and b The size of the secret key will 
ipproximatclj be the same as that of held The base point P requires storage of 
two GF(2") elements The two public keys require storage of 4 elements of GjP( 2") 
It may not be always necessary to store the public keys in the smart card if all the 
keys can be stored in a common database which contains all the public keys with 
certification [Sta95] The storage requirement for the size of the order is insignifi 
cant Similarly PIN and card s identity number are always required Hence we see 
that an elliptic curve based smart card requires 8n bits or 9n bits of storage as the 
curve is non supersingular or supersingular 

4 5 8 Comparison with RSA based Smart Card 

As we discussed in the previous section the elliptic curve based smart card needs 8n 
or 9n bits of storage if non supersingular or supersingular elliptic curves are used 
If the selected field is GF(2^^°) then the total storage requirements is roughly IK 
bits or 1 IK bits Now we make an estimate of the storage requirement of RSA 
based smart cards for the sake of comparison This comparison is necessary because 
RSA IS the most widely used algorithm for smart card in the present scenario and 
in future, elliptic curve public key algorithm may become an alternative for it 

As we discussed earlier, RSA cryptosystem requires at least 512 bit modulus 
For the 512 bit modulo RSA based smart card, the information to be stored and 
corresponding storage requirement m bits is given below 

• Publicly known modulo integer n„ obtained by the card This requires 512 
bits to be stored 

• Publicly known modulo integer, n^, obtained by the remote system This 
requires again a 512 bit storge 

• Public key of the user which is a 512 bit long enciphering exponent Cu 
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• Public key of the remote system which is again a 512 bit long enciphering 
exponent 

• Secret key of the user which is a 512 bit long deciphering exponent du 

In this way the storage requirement is approximately 2560 bits which is 
moie than double of what is required for an elliptic curve based smart card Hence 
we can see that elliptic curve based smart card requires less memory in comparison 
to RSA based smart card 

From the view point of required computations RSA public key algorithm 
needs larger number of computations as compared to elliptic curve algorithm Hence 
the complexity of the coprocessor of an RSA based smart card is far more than that 
required for an elliptic curve based smart card The major computation in an 
elliptic curve public key algorithm is the computation of multiple of a point If the 
prnate ke\ k contains x bits with the Hamming weight y then the computation 
of kP requires x doublings and y additions For a non supersingular elliptic curve 
o\er GF{2^) addition of two distinct points takes two field multiplications and 
one inversion, while doubling a point takes three multiplications and one inversion 
Furthermore, one inversion takes Llog 2 (’^ — 1)J + — 1) — 1 field multiplications 

where u){n — 1) is the number of ones m the binary representation of n — 1 If 
the chosen field be ^^(2^®°), inversion takes 8 multiplications and hence addition 
and doubling take 10 and 11 multiplications respectively This shows that the total 
number of field multiplications to compute kP is llx+lOy For GF{2^^°), the typical 
values of x and y will be 130 and 130/3 With these values of x and y, number of field 
multiplication approximately equals 1864 Since, for GF{2‘^), each multiplication m 
ONE form needs n clock cycle (for hardware multiplier), total number of clock cycles 
to compute kP over GF(2^^°) approximately equals 242320 Moreover, number 
of field multiplications can be reduced by using projective coordinates instead of 
affine coordinates In this case, computation of kP requires 7x + 13y multiplications 
because addition and doubling of points requires 13 and 7 multiplications repectively 
This shows that the expected number of clock cycles in computation of kP will be 
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7?!t -f- ISny With the above values of x and y for GF[2^^^) the number of field 
multiplication equals 1482 and the number of clock cycles required in computation 
of kP vill approximately be 192660 In an equivalent RSA cryptosystem ■with 
512 bit long modulo integer to encipher or decipher a 512 bit number requires 1 2 
multiplications m modular arithmetic per bit or about 750 multiplications total 
A hardware chip [WQ90], designed for RSA based smart card has already come in 
the market that could compute mod n, with 512 bit operands, in less than 1 5 
seconds (6 MHz) requiring approximately 9000000 clock cycles These estimates 
clearlj depict the superiority of elliptic curve cryptosystems 

Hence we see that elliptic curves are a better choice for smart card as com 
pared to presently used RSA Since RSA with 512 bit modulus will face a serious 
security threat m near future, these cryptosystems with larger modulo integers are 
also being realized which will further increase the memory and computation require 
ments In such a scenario, the elliptic curve based smart card will definitely be a 
better alternative for RSA based smart card 

With this we conclude this chapter For more information on smart cards 
please see [Sim91 NM95 Kon91, FOM92, DVJ96 AMV93] In the next chapter we 
will concentrate on the actual software implementation 
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Chapter 5 


Implementation and Results 

5 1 Introduction 

Up to now, we discussed almost all the fundamentals of the elliptic curves which 
are required for building a secure elliptic cur\e public key cryptosystem Since an 
elliptic curve cryptosystem offers various advantages over other existing public key 
cryptosystems, the practical implementation of these systems is becoming a subject 
in which most of the cryptographers are taking interest today Their continuous 
efforts have already resulted in some useful hardware implementation in the form of 
application specific integrated circuits [AMV93] Although hardware implementa 
tions provide much higher throughput, but m most of the network and internetwork 
applications, software implementations are generally preferred over hardware imple 
mentations Keeping m the mind the flexibility and other advantages of software 
implementation, a lot of work is being done in this area as a challenge for cryptog 
raphers and software programmers [HMV92, Kumar96, Pank97] In this thesis, we 
have independently tried to implement elliptic curve public key cryptosystems in 
software Here we are not claiming this to be efficient since any implementation is 
machine and code dependent But the main advantage of this implementation is that 
all the programming has been done using today’s most general purpose high level 
language ANSI C without using any readymade package available for cryptography 
(such as SIMATH) This approach is very useful at application level where installing 
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the whole package is not the right suggestion for getting small cryptographic appli 
cxlions like c mail security, FAX security and smart card microcontroller program- 
iiiiiig Recently, two largest manufacturer of smart card, Gemplus and Schlumberger 
xiinounccd the idea of JAVA programming for smart card For more information 
refer [Gemp] 

The implementation done m this thesis can be divided in two parts In 
the first part, an operating system and processor independent package for message 
encryption and decryption, based on elliptic curve ElGamal scheme over GF{2^), has 
been written This may be useful for Email and Fax security applications The field 
used is In the second part, implementation of encryption decryption 

and authentication algorithms over TMS320G40 25 MHz digital signal processor 
has been done The approach used here is based on optimizing G cross compiler 
w Inch takes the C programs as input and generates the optimized assembly language 
programs as output The size of the field used here can be upto GF(2^°°) 

5 2 Why We Have Used Normal Basis Represen- 
tation in Our Implementation 

Foi any chosen field GF(2"), there are many different bases to represent its ele 
ments Two of them are standard or polynomial basis and normal basis With 
keeping m the mind the advantages of normal basis representation, we have used 
this representation for all the field elements m our implementation A normal basis 
of GF{2^) over GF{2) is a basis of the form 

{/ 5 ,/ 52 / 32 ^ 

where ^ G GF(2”), it is well known [LdNd] that such a basis always exists Given 
any element a G GF{2'^), we can write 

a = Er=o^ ) where G {0, 1} 
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Since squaring is a linear operator in GF(2"), we have 


= SI-o ' ' = ES‘ 00 a„-2) 

With indices reduced modulo n Hence a normal basis representation of GF{2^) 
IS advantageous because squaring a field element can then be accomplished by a 
simple rotation of the original representation an implementation that is easily im- 
plemented in hardware as well as in software 

Multiplication m a normal basis representation is more complicated Let 
yl = (ao.ai, , 0 , 1 - 1 ), B = {hM, ,K-i) be arbitrary elements in GF{2^), and 
IciC = AB = (co, Cl, , Cn-i) Then 

c = T,izl = Er=“o' p"' (^) 

If wc let 

xif e {0 1 }, {b) 

then comparing coefficients of m (a) yields the formulae 
= 0</c<n-l (c) 

Raising both sides of {b) to the 2"' th power we find that 

Equating coefficients of m {d) then yields 

= for all 0<h3J<n~l 
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The formula (c) can now be rewritten as 


a = “AM-tj-t = ES' E;;i a 

He nee if a logic citcuit with input A and B is built to compute the product digit 
Co the same circuit with inputs and yields the product digit Ck Note 
thal and are simply cyclic shifts of the A and B In this way the use 
of normal basis simplifies the computations involved in the implementation of the 
multiplier 

The complexity of such implementation is determined by Cm the num 
bci of non zero terms Clear Ij we have A lower bound on Cm is 

Cm > 2n — 1 [MOVW88] If Cm = 2n — I, then the normal basis is said to be 
optimal normal basis ONE So, if we use optimal normal basis for field elements 
repiesentation then the multiplier attains the minimal complexity Unfortunately 
the ONE does not exist for every extension of GF{2) The following two theorems 
tell us about the existence of ONE m (?F(2”) 

Theorem 1 If n + 1 is prime and 2 is primitive element of GF(n + 1), the (n + 1) 
th roots of unity in GF(2") form the ONE 
Theorem 2 If 2n + 1 is prime and either 

1 2 IS primitive m GF(2n + 1), or 

2 2n + 1 = 3 mod 4 and 2 generates the quadratic residues m GF{2n + 1) 

then for (2n + 1) th root of unity /3 m GF(2^”) 7 = ^ + r ‘ will be the optimal 
normal basis generator 

So, in order to attain the minimal complexity m the implementation, the selected 
field GF{2^) should be such that n satisfy any of the conditions given in these two 
theorems In our case, we have taken n according to the theorem 2 Some useful 
^alues of n for which ONE can be constructed in GF{2^) are 100, 105, 106, 113, 119 
130, 131, 134 135, 138, 146, 148, 155, 158, 162, 172 173, 174, 178, 179, 180 183 
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186 189, 191 194, 196, 209 210 221 and so on Since these values are sufficient 
foi elliptic curve cryptosystems to be secure, thats why we are not giving higher 
\ ilues of n Foi More values of n, readers may refer to [MOVW88] 

In the following section we will discuss various steps in sequel which have 
been involved to reach on the final implementation At each and every step the 
corresponding procedure for efficient implementation is also given 

5 3 Various steps involved in the implementation 

It IS clear now that to implement an elliptic curve public key cryptosystems, the 
basic computation involved is of kP where k denotes the private key and P is the 
publicly known base point on the chosen elliptic curve Since computation of kP 
means k times addition of the point P, the only operations involved to compute kP 
are addition of two points and double of a point Explicit formulae for addition of 
two points and double of a point have already been given m chapter 2 It is clearly 
visible from these explicit formulae that the arithmetic operations involved m these 
formulae are squaring, addition, multiplication and inverse Since our implementa 
tion IS based on optimal normal basis squaring is just a simple rotation, addition 
IS just a simple exclusive OR There is an efficient algorithm available to compute 
the inverse in terms of multiplications, as we will see later on So the only basic 
operation needed to compute kP is the multiplication of two field elements 

As we saw in the previous section, to implement a normal basis multiplier 
it IS necessary to compute the lambda matrix denoted as A = (A,j)„xn This matrix 
IS fixed for a given field (jF( 2") and the number of ones in this matrix equals 2n — 1 
We could successfully implement this matrix for the given field GF(2”) How this 
could be achieved is shown below in the various steps 

5 3 1 Computation of Lambda Matrix Required for Normal 
Basis Multiplication 

To get A == (A,_j)„xn we adopt the following efficient procedure 
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1 Find the minimal polynomial of ONBG denoted aa mj{i) This is the irre 
ducible polynomial over which tl c chosen held GF(2") is defined 

2 Find all the prodnets 0 < y < n - 1 („ products) modulo m,{r) 

3 Express the polynomial basis representation of the above products in normal 
basis leprescntation using the transformation matrix T 

4 Order all the above normal basis representations of 0 < J < n - 1 with 
inci easing j to give the matrix Q = {q,^) 

5 Use the relation to get (Ay = A from Q — [q j) 

So to implement this approach to get lambda matrix we have to implement 
abo^ e steps as given m the following sections 

5 3 2 Finding The Minimal Polynomial of ONBG 

Tins is the first step towards lambda matrix Assuming that /? is the ONBG ac- 
cording to theorem 2 then it is easy to derive the minimal polynomial of /3 — > mp{x) 
and IS specified in terms of recursion [Men93a] 

Let /o(x) = 1, 
and /i(r) = x 4- 1 
then for any t>2 
ft{x) = xft^i{x) + 


be the sequence of polynomials fi{x) i = 1, 2 over GF{2) Then if n is such that 
we have a ONBG gaurenteed, then /n(x) is the minimal polynomial mp{x) of the 
ONBG We can clearly recognize that the sequence of polynomials /,(x) are nothing 
but Fibbonaci polynomials [McEl] This is a beautiful and quite useful coincidence 
in that, they are very easy to generate 
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5 3 3 Finding the multiplication of Two GF{2^) Elements 
Represented m Standard Basis 

This IS tlu second step towards lambda matrix which we have implemented Let 
A — (oq Oi, B = (5o,6i, ,Cn-i) and C = (co,ci Cn_i) be their 

piodiict Wc have used the following algorithm for computation of C Here / = 
(/o /i 1 /«) denotes the coefficients of modulo polynomial m 0 {x) 

Procedure GF2PROD(A,B) 

1 Begin 

2 Set C= (0,0, ,0) 

3 for z = 0 to n - 1 

• begin 

• if {bn-i-i = 1) then 

if (Cn = 1) then C — C + f A 

else C = C + A 

else if (Crt = 1) C = C + / 

• Give a right shift to bits of C 

• end 

4 End 

Using this procedure, we could implement to find the first n cross products 
0 < j <n-l modulo mp{x) 

5 3 4 Finding the Transformation Matrix ’T’ 

The computation of the transformation matrix is necessary to convert the SB rep 
resentation into NB representation as 

jSfB = TSB CENIH^L 

51 w. Ai£54(,| 



SB = r-i NB 

Aiiti coinpij'ation of T, wo converted the n cross products as find above 
into tluii concspondiiig normal basis representation according to the third step to 
\\ uds Irinibd i nuitiix Wc ha\c the following procedure to build the matrix T 

NB gent Idled by the ONBG (3 

SB generated by the ONBG /3 




ft in terms of SB = (0 1,0, ,0) 

ft in loims of NB = (1,0 0 0) 

we have thus 

^^ = ( 0 , 0 , 1 , 0 , , 0 ) 

/?^ = ( 0 , 0 , 0 , 1 , , 0 ) 

^-1 = ( 0 , 0 , 0 , , 0 , 1 ) 

111 loims of SB and hence, if we view any element in GF(2") in terms of SB we 
can have SB representation of the product, sum of any two elements of GF(2^) 
(reduced modulo m^(x) minimal polynomial of ft as well as primitive chosen 
irreducible polynomial) Therefore, we can find the transformation matrix easily by 
multiplication modulo mfi{x) 

Using the minimal polynomial of ONBG and procedure GF2PROD(A B) 
implemented in step 1 and 2 respectively, we have derived an algorithm for finding 
the tranpose of the transformation matrix for a given field GF(2") 
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Procedure Tmatnx( a) 


1 B( gin 

2 Imtuli/c dll elements of T' to zero 

3 for (z = 0, % < [log 2 n] , z + +) 

T’Wm = 1, 

4 foi (i == [log 2 n], 1 < n 1, i++) 
r[i] = GF2PROD(T’[i 1], T’[i 1]), 

5 (lid 

The computed matrix T from this procedure is the transpose of the desired 
ti insfonnation matnx So we can easily compute the desired transformation matrix 

T 

5 3 5 Standard Basis to Normal Basis conversion 

Aftei having the transformation matrix T, the next step we have implemented is 
standaid basis to normal basis conversion This is the simple matrix multiplication 
program Wc can find the NB representation as follows 

[AJ9]nxl = [T-’jnxn [‘S'Sjnxl 

whore 2 IS the mvere of matnx T A very efficient and fast matrix inversion 
progiam has been written by us 

After havmg this implementation, the step 4 and step 5 are simple mathe 
niatK il manipulation and wc can easily get lambda matrix for the field GF{2 ) 

5 3 6 Software Implementation of Normal Basis Multiplier 
over GF(2’') 

We have successfully implemented a software version of very efficient normal 
multiplier Since we have chosen optimal normal bams throughout our implements. 
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tlOU the designed multiplier IS having minima] complexity 

In s( ctioii 5 2 uc have alicad> dicussed the multiplication operation of two 
held elements lepiescnted in optimal normal basis Let A = (oo,ai n„_i) and 

B ,bn^i) ate tvo field elements given m ONB representation Let 

C •” (eo, Cl, , c„_i) IS their product The procedure for normal basis multilication 
IS IS follo-ws Heie A is the lambda matrix obtained m the previous section 

Procedure NBPROD{A,B) 

1 Be gm 

2 leii (e ^ 0) t ^ 7tj t T d") 

• Compute e, = 4AB^ 

• Rotate A by one bit in the left direction 

• Rot ite B by one bit in the left direction 

• euid 

3 Enel 

In the next section we will see how the inverse operation in the field GF(2") 
can be eonveited into multiplication operations 

5 3 7 Computing the Inverse of an Field Element over GF(2^) 

We have implemented the most efficient technique, from the point of view of mini 
mi/iiig the number of multiplications, to compute an inverse of an element m GF{2'^) 
piopo&ed by lioh, Teechai and Tsujii [ITT86] Observe that if a e GF(2”), ev 0, 
then 

^ [since = 1] 

If m IS odd, then since 
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‘ - 1 - l) + i), 

W( ll u ( 

Hciic( it takes only one multiplication to evaluate once the quantity 

h IS been (oniinitcd (we aie ignoring the cost of squaring) If m is even, then we have 

'1 -1 n('m“2)/^2^ 

and (onscqiunlly it tikes two multiplications to evaluate a ~ once a 
has 1 ) 1(11 (omputed flic pioccduie is then repeated recursively 

tins algoiillirn to compute inverse can be understood more easily by the 
following (xainple Considci the field G-F(2’^®®) Weba^e 

2i>- -2 = 2(2^^- 1)(2^^ + 1), 

2^^ - i = 2 (2‘‘^ - 1) (2’® + 1) (2^® + 1) + 1 
2 ^'^ -1 = 2 ( 2 ‘^ - 1 ) ( 2 ® + 1 ) + 1 , 

2^ - 1 - 2 (2 “ 1 ) (2 + 1 ) (2^ + 1 ) (2'‘ + 1 ) + 1, 

and so an inversion m Gr(2'®®) takes 10 multiplications 

II can oteily be verified by induction that this method requires exactly 
I(rr>) - llogrlm - 1)J + u/(m - 1) - 1 field multiplications, where w{m - 1) denotes 
the number o( IS in Ihe binary representation of m - 1 

5 3 8 Computing the Sum of Two Points 

After implementing the multiplication and inverse operation, the next step we im 
plomented is addition of two points We have chosen a non supersmgular elliptic 
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curve overGF(2"). hetithey^+xy x^+aiX^+a^. Let X, = {xio,Xn, ■ ■ ■ , Xm-i), 
Yi = (yio, yii , ■ • • , yin-i) are the coordinates of the first point P{Xi, Yi) and X2 = 
(.T20, x'21, • • • , X2n-i), Y2 = (y20i 2/21) , 2/271-1 ) are the coordinates of the second point 

Q{^2^ ^ 2)- Let (A'^3, Y^) is the resultant point P+Q. Here, we are giving a procedure 
to calculate P + Q. 

Procedure Addition(Ai, Fi, A2, F2) 

1. Begin. 

2. If P is the point at infinity O, P + Q = Q and go to End. 

3. Else if Q is the point at infinity O, P + Q P and go to End. 

4. Else proceed as 

• Find Ai + X2 and Yi + Y2 using simple exclusive OR operations. 

• Find (Fi + F2)/(Ai + X2) using one inversion and one multiplication. 

• Find ((Fi + F2) / (A], + ^2))^ using one bit rotation towards right in (Fi + 
F2)/(Ai+A2). 

• Find A3 = ((Fi -f- Y2 )/ (Ai + A2))^ + (di + Y2 )/ (Ai + A2) + Ai -t- A2 + 0,2 

• Rotate Ai to get Xf. 

• Find ((Fi 4- F2)/(Ai + A2)) (Ai + A3) using one multiplication. 

• Find F3 = (Fi + F2/A1 + X2) (Ai 4- A3) 4- A3 4- Fi 

• end. 

5. End. 

In this way, we see that addition of two points can be performed by using 
one inversion and two normal basis multiplication. In the next section we will give 
the procedure to find double of a point. 



5.3.9 Computing the Double of a Point 

Let P is a point (Xi, Yj) over the curve y'^ + xy = + og and (X, Y) is the 

double of P. Here we are giving the procedure which we have implemented to find 
the double of a point. 

Procedure Double(Xi, Yi) 

1. Begin. 

2. Rotate Xi by one bit in the right direction to get Xf. 

3. Find 1/A'’i using one inversion. 

4. Rotate 1/A'’i by one bit in the right direction to get 1/Xf. 

5. Find ae/A'j using one multiplication. 

6. Find A = Ai + ae/Af using simple Ex-OR. 

7. Find Yi/Ai using one multiplication. 

8. Find (Ai + Yi/Ai) using Ex-OR. 

9. Find (Ai +Yi/Ai)A using one multiplication. 

10. Find Y = X^ + (Ai + Yi/Ai) A + A using Ex-OR. 

11. End. 

In this way, we see that the double of a point can be computed using one 
inversion and three normal basis multiplication. 

5.3.10 Computing the Inverse Image of a Point 

Let P is a point (Ai, Yi) on the curve y'^ + xy = x^ + a 2 x‘^ + Oe- The computation 

of -P(A, Y) is very easy according to the following procedure.' 

Procedure ^ 



1. Begin. 


2. Assign X to Aj. 

3. Find Y = A""] + Yi using simple Ex-OR, 

4. end. 

Now we have implemented all the necessary subroutines to compute the 
multiple of a point P , i.e. kP . In the next section we will mention an efficient 
procedure to compute kP. 

5.3.11 Computing the Multiple of a Point, kP 

At this point, we have reached to implement the last subroutine for building an 
elliptic curve based cryptosystem. It is the implementation of kP. In this section, 
we discuss various techniques for efficient computation of which are useful for 
both hardware and software implementation:. 

Since this computation is equivalent to exponentiation of integers, an analog 
of square and multiply [KnuSl] for exponentiation, named accordingly as double and 
add, can be used. If 

then 

kP=EUki{2P) 

Hence, we see that if k is & t bit integer then computation of kP requires t - 1 
doublings and at the most t - 1 additions. The number of additions is equal to 
number of ones in binary expansion of A; . This algorithm is very useful for hardware 
implementation as it does not require any precomputations or extra storage. 

The addition of a point is as expensive as subtraction because inverse of 
a point P (-P) can be computed at the cost of one addition-in underlying field. 
Recognizing this very fact, we can improve the above algorithm by introducing a 
minor variation. This modified algorithm reduces the number of ones in the binary 



representation of k by using both subtraction and additions. In this algorithm the 
binary fotm of k is rewritten as follows. Starting from the LSB side, bits are grouped 
in pair of two bits (as if k is written with repect to base 4 with coefficients 0,1, 2, 3 
in binary form). Now, whenever a pair of bits consists of two ones (coefficient 3 
in base 4 representation), it is replaced by (0,-1) and 1 is added to next 2-tuple as 
carry. Whereas other 2-tuples, i.e. (0,0), (0,1), (1,0) are not changed. This process 
continues till MSB is reached. The example given below illustrates this clearly. 

Example 

Let k = 98474747. Then 

^" = QioinoiiiioiooiioiQoioiililioii 

For this value of k double and add method will require 30 doublings and 21 ad- 
ditions, However, if we write k according to modified double and add method then 
we get 

fc = 0110ti-QilQ^QilQ10011010Q110<2-OOt^M'«^Qi-(^Oi 

Here, 1 represents -1 and ^ indicates flow of carry from right to left. Now, for 
the same value of k the kP can be computed with 30 doublings, 10 additions and 4 
subtractions. Since, computationally subtraction and addition are same, it requires 
7 less additions as compared to that required in double and add method. 

If k is represented by a string of only ones, then this method shows great 
improvement because for fc = 2* — 1, simple double and method will require t — 1 
doublings and t additions, whereas modified version will require t doublings and 1 
addition. In the worst case (/c is represented by alternate 1 and O’s), the modified 
version will be same as simple binary method. Experimentally we have found that 
on an average total number of additions required in computation of kP are one third 

of number of bits in /c.^ ^ ^ ^ ^ ^ ' 

Here we are giving the procedure to implement the modified double and 
add method for computiiig Aj-P. We have sucessfully iinplemeiited this procedure. 



Procedure ComputekP(/c, P) 

1. Begin, 

2. Sum = O. 

3. while {k > 0) 

• bitpair = k AND 3. 

• k = k/4. 

• If (bitpair = 3) then Sum = Sum + (-P) and k = k + l. 

• If (bitpair = 1) then Sum = Sum + P. 

• P = P + P, 

• If (bitpair = 2) then Sum = Sum + P. 

• P = P + P. 

4. End. 

Based on the above subroutines, we have developed a software package 
for message encryption and decryption over GP(2^^®). Simultaneously, we have 
implemented encryption, decryption and authentication protcols for smart card view 
point on the TMS320C40 digital signal processor. In the follwing sections we will 
dicuss about them, 

5.4 A software package for elliptic curve based 
message encryption and decryption over 

In some applications of public-key cryptography it is desirable, and perhaps even 
necessary, that the key size be as smallas possible. Moreover, the cryptosystems just 
needs to be secure enough so that breaking it is not cost-effective.The purpose of this 
section is to iiivestigate the security and practicality of elliptic curve cryptosystems 



with small key sizes of about 100 bits. The next two paragraphs describe some 
situations which come to mind where a small public key size might be desirable. 

Consider the scenario where we have a small network where we ■would like to 
have secure e-mail exchange, or where we would like to have secure transmission of 
messages by fax. Rather than exchange public keys using certificates, key exchange 
is done verbally with authentication provided by voice recognition. If a symbol 
set consists of 32 alphanumeric characters represented by all 5-bit vectors then an 
n-bit key can be exchanged bj' representing it as an [n/5] -symbol alphanumeric 
string. For n about 100 such a string is less than twice the length of most current 
international telephone numbers. String of this length would also be convenient for 
business cards, letterheads etc. 

Consider also the following scenario: A software company places various 
programs on one distribution medium, however the purchaser can only access those 
programs he has paid for (the distribution medium could contain special purpose 
hardware that is tamper-proof for this purpose). If the user later wishes to purchase 
some of the other programs, he phones the company and places his request. The 
company in turn replies with the appropriate access information, which is digitally 
signed. The signature is verified by the user’s terminal, and access is granted. 

Most of the public-key cryptosystems are totally insecure if the key size is 
restricted to about 100 bits. For example, since factoring 100-bit integers can be 
readily done on a microcomputer, the RSA system is insecure for keys of that size. 
The same holds true for systems whose security is based on the intractability of 
the DLP in a finite field, such as the ElGamal cryptosystem. Recently La Macchia 
and Odlyzko [MaOdOl] computed logarithms in the field GF{p) where p is a 192-bit 
prime, while Gordon and McCurley [GoMc91] were able to compute logarithms in 

A good candidate that remains is the elliptic curve cryptosystem. We could 
sucessfully implement these systems over GF(2^^^) . The reason why we have chosen 
n = 113 is only that it is around 100 and optimal normal basis exist for this field. 
All implementations have been done in the C-language on a Pentium 100 MHz and 



a Pentium 150 MHz machines. 

We have chosen the non-supersingular curve given as y'^+xy = 
over the field GF{2^^^). The computed minimal polynomial of ONBG over which 
the field is defined is 


IIOOOOOOIIOOIIIOOOOOOOOOOOOOOOOOOOOOOOOO 

OOOOOOOOOOOOOOOOOOOOOOOOllOOOOOOllOOlllOOOOO 

000000000000110000001100111011 


Here first bit is the coefficient of second of and so on. The last bit is the 
coefficient of So we can also write this polynomial as 

1 + a; + a:® + a;® + + x^^ + + x’^^ + x’^® + + x^® + 

X96 + 2;97 3.104 + + 3.IO8 ^ 3.IO9 ^ ^110 + ^112 ^113 

The curve coefficients 02 , and the publicly chosen point P{X,Y) have been com- 
puted from SIMATH. The normal basis representations of these quantities are 


£12 = 

11110110010111101001100110111111110110111111 
1 0 1 1 1 1 0 1 0 1 0 1 1 1 1 1 0 1 1 1 1 0 1 1 1 1 1 0 1 0 0 1 0 0 1 1 1 0 1 1 0 1 0 0 
1110111101001100101011011 


1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 1 0 0 1 0 1 0 0 0 
0100001000001010 0 0 1 0 0 0 1 0 0 0 0 00000000000010000 
1000010000001000101000000 

The X coordinate of P is 

x = 
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To see the encrypted message, we are giving an example of original plaintext and 
corresponding ciphertext for a particular encryption key and the public key of the 
reciever. 

The plaintext is 

The invention of public key crpytography by Diffe and Heilman in 1976 
not only revolutionized the field of cryptography, but also had a profound 
effect on the direction of research in computational number theory. For 
the first time the question of the relative complexity of various number 






theoretic tasks took on a practical urgency. 

The first usable public key system introduced in 1978, was the 
R-SA cryptosystem, which is based on the problem of factoring large 
integers. RSA soon became the best known and most widely used public 
key cryptosystem. 

In 1985 a variant of discrete log cryptography was proposed, based 
on the DLP in the group of points of an elliptic curve defined over a finite 
field. Cryptosystems using discrete logarithms in this group have two po- 
tential advantages over systems based on the multiplicative group of a 
finite field ( and also over systems based on RSA); (1) the great diversity 
of elliptic curves available to provide the groups; and (2) the absence of 
subexponential time algorithms (such as those of ‘index calculus’ type) 
that could find discrete logs in these groups. 

The generated ciphertext is 

ZwQc/k/HagG/rjdUHp4j810EYIgc3enRkMv30JVV0CRjJfU0MuRrSh4pZ/FWFDXum26xC/ 

ZSyH69HeE2+OzJdRiAZ3dwTevQimERzVklny5BKaoPo3oQlFZhW+kyMQEGolOacwicqd43 

ei7TaPcEDYmo+5vKDt4ZhNtuugLuFoxnzjCdlwN5Vp09Gbin2QVFtQ0YyHlDjb0qUIea2fh 

Vxwlrpteswfmk8he/hHhtP9cSXkIQ2dH8k34zL14vvvGlNB/43W0rep8unWFS88tg4oIh4 

kZeZoIC69C2dGT0tcMnQJUbr3opuGlWohl4FJqPRPyXSTghAyd7dGRy8e7kUVRLENm8R5w 

4GtKFimn9XYVMc6aarHL8nJJfo3f4RY7TPn0FJCkd3BP5VSuycqQnBuYJB/9kw+zgSFlrP 

IozZ0p/GhDzTKVZAix+Wpi/z4Vk3eUJ0ZwQc/k/HagG/rjdUHp4j810EYIgc3enRkMv30J 

VV0CRjJfU0MuRrSh4pZ/FWFDXum26xC/ZSyH6BQ2SPKtwkVF7rzUH/yip0y3U4/utVxBak 

YxLpuz7n9f Ltkjfm6n+JWGkM3iWb08j3inR9I8CoXKTbu5AC2305PautelitknnQT0tx4pYC 

KXMxxRLsKwIlCjEzdD2jbaKO+vR3gFHj+gGgJhmZ72ffyxEtnXPZr61jiP/z9cTeWOmGpp 

0iHrQG9miAUkFlJK/ZIPi2XRaaoliwdUd3KNlSyJIngqIREP3n5q6qDaWiheUwpvTMqzKUJ 

jvRB22Z4313UY17T3c8PGLq/HibxnmSBPQ8vbIbg23/IwvldPUxul50UVniZUGFr63Vf0h 

9/cAa0TBwoaLpCxhj9wX4ngRAdH8obePSqfoi3La/GkaLsjdiiindn5'Lb6ii0fX/tGVUAen-t 

S/FFhcMIgwPRVT8r4yTnPTZ2eWYrBhqGfZlTPChtFFcVVYN2o008/7501m7ya5qlUxaZR9 

JZiqiEBjcGfle+a0ylSX0BaJi3DZyvejryNYpDj7Efa7SyVhbxzsuZACTf0jlARcGZkjYy 


ACR91wWvA5Jmv50kudZI0oQZopMdggMfrFru/LEZvkMaQZej3NhcAjXB2tHhtinYsDD4al 

2HkMii8BP9RWkoV0SqD9B4r3vM2ID3RlmRFlkF0HcLr2Fzg4NKUZRWolPpMDEhBaJtGHsI 

HUH+tn4+k2DHxAmJqf+ryQLeWYTrrL4ibBEtiq3nB06+TAhqGJlYlbqI6a71swR9u0tinW 

219XYVMc5aarHL8nJJfo3f4RY7TPn0FJCkd3BP5N+8SN+77rRZTwP+tF9qXKv7pVhEPfLI 

0KSIeGpJin8UjBCtS8TIfLuCX8qtfQ4ubr+10T2vWs8gnv/o3StGDr4Nhnp0kKoYfkhwlkV 

fpXU0MJBG0qZ80dTjYEyXM2ew2DVQ6IKTYYbZSem5I90jrYlpmKdX+lJoDfdZYH8z46oTo 

c345GDiolgzXqZHqH71hiIo3LY3ZM50yxcClgpNXW97H2kuTW5r5o4WXwSsRbVdXizcmZI 

V23w 

How to use this software package 

This software package is very easy to handle from user point of view'. An 
user should use it according to the following commands. 

Note : Before encrypting the message, make sure that you have reciever’s public 
key. 

Encryption Procedure 

1. Type your message using any editor and save it as file named ’’plaintxt”. 

2. Now give the command ’’ecrypt” at your DOS prompt. It will demand for 
encryption key. Enter your chosen encryption (private) key. Now wait for 
some time for encryption to be completed. 

3. After completion of encryption, open the file ’’ ciphertx” to see the transmitted 
ciphertext. 

Decryption Procedure 

1. Type the command ’’dcrypt” at your DOS prompt. It will demand for your 
decryption key. Enter the decryption key and wait for some time for the 
decryption to be completed. 

2, After completion of decryption, the user should open the file ’’rplaintx” to 

read the recieved message which is the original plaintext. 




Performance 


With a particular value of encryption and decryption key, the 106 KB file could be 
encrypted in 880 seconds with the encryption rate of 124 bits/sec. The encrypted 
file could be decrypted in 640 seconds with the decryption rate of 170 bits/sec. The 
code occupies about 0.5 MB memory. 

5 . 5 Implementation of Encryption /Decryption over 
TMS320C40 Digital Signal Processor Using 
Optimizing C Cross Compiler 

Work that motivated ours is Barrett’s, Wiener’s and Davio et al's [PB86, DDFG83]. 
Barrett observed the effectiveness of digital signal processors for cryptography and 
presented an implementation of RSA on Texas Instruments’ TMS32010 [PB86]. 
Davio et al made considerable progress in efficient TECHNIQues for DES [DDFG83]. 
Here we have implemented the elliptic curve public key cryptosystems on the Texas 
Instrument’s TMS320C40 25 MHz digital signal processor. 

The approach we adopted is based on optimizing C cross compiler. This 
compiler takes the ANSI C programs as input and generates the TMS320C40 as- 
sembly language programs as output. For detailed information on hardware archi- 
tecture and C cross compiler, the readers may refer to TMS320C4x User’s Guide 
and TMS320 Floating-Point DSP Optimizing C Compiler User’s Guide. 

For this implementation, we are provided with the dsp board installed 
within a 40 MHz Intel486 PC. The dsp board is the target processor while the 
PC is the host processor. For every operation to be implemented, we have to write 
two prgrams. One is for the dsp board ( simply the ANSI C source code of an 
operation) and other one is for the host to comrnunicate with the dsp board. The 
function of the host program is to take input from the keyboard or give output to the 
screen. Simultaneouly it downloads the data to the board and after execution done 



by the board it uploads the reults from the board. For writing the host program, 
we are provided with a Run-Time Library Reference containing the uploading and 
downloading routines. For more information see SPIRIT-40 ISA User’s Guide. 

We could sucessfully do the implemetation of field operations and ellip- 
tic curve operations and then message encryption and decryption based on these 
over much higher fields (up to GF{2^°°)). For examples we have taken GF{2^^^), 
GF{2^^^), GF{2^^^). The curve chosen is nion-supersingular, i.e. y'^ + xy = -f 
a2X^ -I- ae. 


Over GF{2^^^) 


The generated minimal polynomial of ONBG, over which the field is defined, is 
lOOOlOllOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO 
0000000000000000 00 OOIOOOIQIIOOOOOOOOOOOOOOOO 
000000001000101 1000 0 0 000 1 0 001 0 1 1 1 OOOOOOOTOOOl on 


The curve coefficients and publicly chosen point P are: 


02 = 

1111111111111100 10 11 1 1 1 1 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 
10 11111111111111111111111 1 1 111 11 1 11 11 1 11 1 1 1 


0 0 0 1 1 1 1 1 1 0 1 1 1 1 1 111 11 11 1 111 1 111 1111 1 1 11 1 1 1 11 1 
1 1 1 11 0 11 1 1 ll linilll 11 II TIT 11 1101 1 1 1 1 11 1 11 1 
0 1 1 0 1 1 11 


The publicly chosen point P{X,Y) is 



10000110010101011100011000110110000011000011 

OOOlllOlOlOOOlOllOlllOOlOCllOlOOOOOlllOlOOO 

lOOOOOlllOOOllllllOOOlllOlllOllOOOOOOlOllOlOOOOO 


y = 

OlOllOllllOOlOllOlOllllOlOOOOOOOlOlOOOlOOOlO 
OOOllllOOlOllllllOlOOOlllOlOOOOOOllllOOllOO 
0100111111010111111 0 0 00100111101 OOOlOOOOllOOllOO 

Over GF{2^^^) 


The generated minimal polynomial of ONBG is 

lOlllOOOOOOOOOOOlOlllOOOlOllOOOOOOOOOOOOOOOO 
00000 000 OOOOOOOOOOOOlOlllOOOOOOOOOOOlOlllOOO 
101100001011 10000000000000000000000 00 OOOlOll 
100000000000101110001011 


Q>2 

110111110110000010 1 1110 01 nil 0 0011001001 1 001 

1 0 0010111101 10101 1 100 110000 010 0 10 1 11111 lllOO 
0 0 1 0 0 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 1 1 1 1 0 1 1 1 1 0 0 1 1 0 1 1 0 0 1 0 1 1 1 1 
11010010011100101110011 

0,5 = 

0 1111111 00 1 ooiooo 1 1 111010 11 100 11110 110 00 1 00 1 
10 0 1 1 0 0 111 1 1 1 1 1 1 1 1 1 1 0 0 01 0 11 0 1 0 0 1 11 1 1 1 1 1 11 1 0 1 

1 1 1 0 1 0 1 1 1 1 0 0 0 0 1 1 1 0 1 1 11 0 0 11 1 1 1 1 1 0 0 1 1 1 1 0 0 1 0 11 0 
11110 10 11 1110 0111 1 1 1 0 1 1 

The point P{X,Y) is 



lOllOllOOOullOOOlOOOlllOlOllllllOOlOOlOOOOlO 
OlOOlOlOOlOOOlOOOOOlOOlllOllOOlOOOlllOllOlOO 
OOllOlOlllOOlOllOlOlllllOlllOlOOllllOOOlllOO 
110110111. 1001 1110110100 

y = 

OlOlOOOOlllllOOlOOllOOOlOOlOOOllOlOOOllOOOOO 

OlOOlOOllllOOOlOllOllOlOllOOlOlOlOlllllOlllO 

lOlOlOlllOllOllOlllOlllOlllOOlllOOOlOlOOOlOl 

01111010111111111110111 

Over GF{2^°^) 


The generated minimal polynomial of ONBG is 

10000 0 001000 1 0 11 lOOOOOOOOOOOOOOOlOOOOOOOl 0 0 
0101 10000000000000 000000000000000000000 0000 
00000 00000 000 0000 0000000 OOOOOOOOOOOOOOOOOOl 
0000000100010 1 1 1 000000000000 0 0 0 lOOOOOOO 100 0 
101100000000 00 000 00 010000 00 OlOOOlOlllOOO 00 
000000000000 00000000000 00 00 000 OOOOOOOOOO 00 
1000000010001011100000000 OOOOOOOIOOOOOOOIOOOIOII 

a2 ~ 

0 1 1 1 1 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 0 0 1 0 1 1 1 0 0 1 0 0 0 0 1 1 

1 0 0 1 0 1 0 0 1 1 1 1 0 1 0 1 1 1 1 1 1 1 1 0 1 0 1 1 1 0 1 0 0 0 1 1 111 1 1 11 

0 1 1 1 1 1 1 1 0 1 1 0 1 0 0 0 1 1 1 0 0 1 1 1 1 1 1 0 1 1 0 1 1 1 1 1 1 0 1 0 0 1 1 

0 0 0 0 0 0 0 1 1 1 01 0 0 0 0 0 1 1 1 1 1 1 1 0 0 1 1 0 0 0 0 0 0 10 11 0 01 1 

1 1 0 0 0 0 0 0 1 1 111 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 1 0 0 0 0 1 0 
111111111 10 1111111110 0 111 111 10 0 0 1 0 0 0 1 0 1 10 0 



001101111111101011101100001011110110101101011111 


Or = 

1111111111101001111111111110111110010111011 

lllOlllllOlOlllllllllllOlOlllllOlOlllllOllO 

lllllOlllllllllOOOllllllllOlllOlllOlllllOOO 

011111101111101111111111011011011111111011 

110111100111111110111111111111101011111111 

111111111101111111010111111110100111111111 


The Point P{X, T) is 
X = 

lOllOllOllllOlOOlOllOOlllllOlOllOOOlOllOOll 
0110101010110111110000101101111100100101111 
1010 01110 1010 11 01000010001 110111000 IIIOIOOO 
011111001101000011001110010001101110101111 
1011011 11 110100101111000000011 110 101010 000 
00001 10010000101011000111101101011 1001 1000 
000101100110110101 00010 1110 10 0011100 01111111 1011 

y = 

0011001111010101 1 0 111 IIOOOOOIOOOOII 110 lOlOlO 
1 1 1 1 1 1 0 1 0 1 1 0 1 1 0 6 1 0 0 0 1 0 0 1 1 1 0 0 1 0 1 0 0 1 1 0 1 1 0 1 1 1 0 1 

1 0 1 1 0 1 0 0 0 1 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 01 0 1 0 1 1 0 1 1 1 1 

0001 0 110010001 000 1 0 1 0 1 0 0 0 1 1 0 1 1 0 0 1 1 1 1 0 0 0 0 1 0 0 1 
1 1 1 1 1 1 0 0 1 0 0 1 1 0 0 1 1 1 0 1 1 0 1 1 1 1 0 1 1 0 0 0 0 0 1 1 0 0 0 0 0 1 1 1 

1 1 1 0 0 0 1 1 1 0 1 0 1 1 0 0 0 0 0 0 1 0 0 0 1 1 1 0 1 0 0 1 0 0 1 1 1 0 0 1 0 1 0 0 

0 1 0 1 0 0 0 0 0 1 0 0 1 1 0 1 0 0 0 0 1 1 0 1 0 0 1 1 0 1 0 1 1 0 1 1 1 1 1 

Here all the curve coefficients and point’s coordinates are given in normal 



basis representation. First bit denotes LSB and the last bit denotes MSB. 

The following tables show the timing results which we have obtained for 
various field size. 




GF{2^^^) 

GF{2^^^) 

GF{2^^^) 

GF{2^°^) 

one field multiplication 

3 sec. 

5 sec. 

7 sec. 

13 sec. 

53 sec. 

one field inversion 

22 sec. 

44 sec. 

71 sec. 

160 sec. 

638 sec. 


Table 3. Times for field operations on TMS320C40 25MHz. 



GF{2^^^) 




< 0 ^( 2303 ) 

one curve addition 

29 sec. 

54 sec. 

86 sec. 

187 sec. 

745 sec. 

one curve doubling 

32 sec. 

58 sec. 

93 sec. 

200 sec. 

798 sec. 


Table 4. Times for elliptic curve operations on TMS320C40 25 MHZ. 

With these timings results we conclude this chapter. For our implementa- 
tion w'ork, we do not claim it to be efficient from memory and speed point of view. 
More efficient codes may be written using other programming techniques and algo- 
rithm modifications. But we have tried our best throughout whole implementation 
work. 

























Chapter 6 


Conclusions and Future Work 


After discussing various aspects involved in the implementation of efficient and se- 
cure elliptic curve cryptosystems, we conclude the thesis with a review of main 
points and scope for future work. 

6.1 Conclusions 

The aim of this thesis was mainly concentrated on the software implementation of 
efficient and secure elliptic curve public key cryptosystems over Galois field GjP(2”). 
while writing the thesis, this aim was kept in the mind so that we covered only 
those issues of elliptic curves which are necessary and sufficient for the implementa- 
tion point of view. We designed an elliptic curve based smart card cryptosystems. 
Elliptic curves were found to be very effective and advantageous as compared to 
RSA for smart card design. Since the arithmetic in Galois field is time consum- 
ing, their efficient implementation was our main issue. We looked the effectiveness 
of optimal normal bases for the implementation to be efficient. We gave efficient 
procedures in implementable form for Galois field operations as well as for elliptic 
curve operations. The effectiveness of these procedures were tested through imple- 
mentation and checked both on Pentium and digital signal processor. A software 
package could be developed for message encryption and decryption over GP 
for e-mail and fax security point of view and successfully tested on Pentium proces- 



sors installed with DOS and Linux platforms. Encryption and decryption over the 
fields as large as could be successfully done on the TMS320C40 25 MHz 

digital signal processor. Elliptic curve based ElGamal scheme over Gf (2") was em- 
ployed for message encryption and decryption. Even though the encryption rate is 
too low, the software implementation can be used to study the implementation over 
various curves. An important issue about implementation is that all the work has 
been done using ANSI C language without using any ready made package such as 
SIMATH. For applications such as e-mail security, smart card programming etc., 
this approach is very useful because installing the whole package is not possible due 
to limited memory space. 

6.2 Future Work 

In this thesis, we implemented the software for elliptic curve based data encryp- 
tion and decryption, particularly for smart card based applications. In future, this 
work can be extended to implement a whole smart card based off-line electronic 
payment system used for remote shopping over the Internet. Internet Commerce is 
the hottest topic of today and of the future. Most of the presently used electronic 
payment systems are credit card based, on-line payment systems employing RSA, 
DSS public key algorithms. These algorithms can be replaced by elliptic curve pub- 
lic key. algorithms in future. The disadvantage of on-line payment system is that a 
couple of banks have to be involved during the whole transaction causing wastage 
of communication bandwidth and time. An alternative approaches the smart card 
based off-line payment system in which the card plays the role of banks and does 
itself all the authentications, encryption and decryption required during transaction. 
The card does so by using the software written into its EEPROM. The elliptic curve 
based software may be very useful for such type of applications. 



Appendix A 


An Introduction to Electronic 
Commerce 

A.l Introduction 

In this age of networking and inter-networking, business is moving from face-to-face 
trading, mail order, and telephone order to electronic commerce over open networks 
such as the Internet. If you have an PC, a credit card and Internet access of course, 
you can purchase goods remotely without need to go to the shopkeeper. If a smart 
card reader is attached to your workstation, you can make your business transaction 
by just inserting the smart card into the reader. Since Internet is an insecure publicly 
available open network, securing payments over it connecting commercial severs 
and consumer work-stations poses challenges of a new dimension. In the following 
section, we attempt to provide an overview of electronic payment systems focusing 
on issues related to their security. 

A. 2 Electronic Payment Models 

In a traditional payment system, the participants involved are payer, payee and and 
at least one financial institution (usually bank) to guarantee the validity of money. 
The same involve in the electronic payment system. Only, the role of financial 



institution is divided into two parts: an issuer (used by the payer) and an acquirer 
(used by the payee). 

How the real money reaches to the payee. The flow of real money from 
pa 3 'er to payee is made possible via payer to issuer, issuer to acquirer, acquirer to 
payee. According to the payment method, the payment models can be categorized as 

prepaid cash-like payment system 

A certain amount of money is taken away from the payer (for example, by deb- 
iting that amount from the payer’s bank account) before purchase are made. This 
amount of money can be used for payments later. Smart card-based electronic 
purses, electronic cash as well as bank cheques fall in this category. The model is 
shown as below. 

ACTUAL FLOW OF 
REAL MONEY 


INTERNET 


PAYMENT 
(ELECTRONICALLY) 

Figure A. 1: Cash-like Payment System 

Pay-now payment Systems 

In pay-now payment systems, the payer’s account is debited at the time of pay- 









ment. ATM card based systems fall into this category. 


Pay-later (credit) payment systems 

In these payment systems, the payee’s bank account is credited the amount of sale 
before the payer’s account is debited. Credit card systems fall into this category. 
Typical flows of these systems are shown below. As a payment is always done by 
sending some sort of ’’form” from payer to payee (cheque, credit card slip, etc.) we 
call these systems cheque-like. 
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Figure A. 2: Cheque-like Payment System 


A. 3 Security Requirements 

In general, one or more of the followdng security requirements must be met within 
an electronic payment system. 

Integrity and Authorization 









No money is taken from a user unless a payment is explicitly authorized by him. 
Moreover users might require not to receive any payment without their explicit con- 
sent; this is desirable when users wants to avoid unsolicited bribery. 

Confidentiality 

The knowledge about various pieces of information related to a transaction such ; 
as identity of payer/payee, purchase content, amount, etc. must be restricted only | 
to the participants involved. 

Availability and Reliability 

All parties require the ability to make or receive payments whenever necessary. 
Payment transactions must be atomic: they occur entirely or not at all, but never 
hang in an unknown or inconsistent state. No payer w^ould accept a loss of money 
due to a network or system crash. 

A. 4 On-line vs. Off-line Payment Systems 

In on-line payment systems, an authorization server (usually as part of the issuer or 
acquirer) has to be involved in each payment. While in off-line systems, only payer 
and payee come in the picture without involving any third party during payment. 

The obvious problem with off-line payments is how to prevent payers from 
spending more money than they actually possess. Since e-money is just a bunch 
of bits, a piece of e-money is very easy to duplicate. A trivial e-money system 
would allow to copy of a piece of e-money and spend both copies. And the user 
could become a millionaire in a matter of a few minutes. This problem is known as 
double spending problem. 

On-line systems prevent double spending problem by requiring seller to 



contact the bank’s computer with every sale. The bank computer maintains a 
database of all the spent pieces of e-money and can easily indicate to the seller 
if a given piece of e-money is still spendable. 

OlT-line systems detect double spending by using tamper resistant hardware, 
such as smart cards, at the payer end. The chip inside the smart card keeps a mini 
database of ail the pieces of e-money spent by that smart card. If the owner of the 
smart card attempts to copy some e-money and spend it twice, the embedded chip 
would detect the attempt and would not allow the transaction. 

On-line payment systems obviously require more communication, but not 
necessarily tamper-resistant hardware. In general, they are considered more secure 
than off-line systems. 

A. 5 Anonymity of Payer 

Some payment systems provide payer anonymity and untraceability. Payers prefer to 
keep their everyday payment activities private. Certainly they do not want unrelated 
third parties to observe and track their payments. Often, they prefer the payees 
(shops, publishers, etc.) and in some cases even banks to be incapable of observing 
and tracking their payments. 

Whereas anonymity simply means that the payer’s identity is not used in 
payments, untraceability means that, in addition, two different payments by the 
same payer cannot be linked. By encrypting all flows between payer and payee, all 
payment systems could be made untraceable by outsiders. Payer anonymity with 
respect to the payee can be achieved by using pseudonyms instead of real identities. 


A. 6 Some Proposed Electronic Payment Systems 

Secure Electronic Transactions (SET) , 

This is likely to be widely adopted for credit card payments over the Internet. SET 



concentrates on securely communicating credit card numbers between a payer and 
an acquirer. In our classification, SET falls under the ” cheque-like” model. In a first 
handshake the seller authenticates itself to the payer and all offer and payment data 
are fixed. The payer then generates a payment slip using a sophisticated encryption 
scheme which protects the sensitive payment information (e.g., credit card number), 
limits the encryption to selected fields to ease export approval, cryptographically ties 
the order information, and minimizes exposures of the user’s privacy. This slip is 
then signed by the payer to authorize the payment and is sent to the seller, who 
sends it to its acquirer to authorize and capture the payment. The acquirer checks 
all signatures and the slip, verifies over the existing network the creditability of the 
payer and sends - depending on the outcome of this operation - either a positive 
or negative signed acknowledgment back to seller and buyer. For getting technical 
information about SET, refer [SET]. 

E-Cash 

E-Cash, a cash- like payment system, provides high levels of anonymity and un- 
traceability. E-Cash is based on the concept of blind signatures.. When an entity 
A wants to obtain a blind signature on a message m fro an entity B, A generates a 
blinded message m' from m and requests B to sign m' and return the blind signature 
on m, si5nB(m'), to A. The blinding transformation is such that: 

• B (and no one else) can construct signB{x) given x but anyone can verify it. 

• A (and no one else) can derive the signature on m (i.e., signB{m)) given the 
blind signature on it, signs (m'). 

To know more about these systems, refer [Ecash]. 

With these proposed systems, we conclude this brief introduction on elec- 
tronic payment systems. A lot of information is available on the Internet on this 
subject. Interested may refer to [SEMPER]. 
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